Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detecting lack of CVE in openssh #1290

Open
chenjianquan7 opened this issue Nov 1, 2024 · 1 comment
Open

Detecting lack of CVE in openssh #1290

chenjianquan7 opened this issue Nov 1, 2024 · 1 comment
Labels
bug

Comments

@chenjianquan7
Copy link

FACT version

4.2

Environment

already update nvd use python install in cve_lookup
i am scan openssh 7.4p1, but leak CVE-2023-51767, (through 9.6)

Steps to reproduce

w

Observed Behavior

w

Expeced Behavior

w

Installation logs

install.log 
PASTE HERE

Backend logs

fact_main_backend.log 
PASTE HERE

Frontend logs

fact_main_frontend.log 
PASTE HERE

Other information

No response
@jstucke
Copy link
Collaborator

jstucke commented Nov 11, 2024
edited
Loading

I debugged this a bit and it turns out this has two reasons:

  • the signature for OpenSSH was incomplete and the version was not matched in some cases
  • CPE entries without version constraints are not shown by default (because of many false positives)

These two PRs should fix this issue:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jstucke @chenjianquan7