gvmd: 21.4.4 (DB 242)
Operating system: Ubuntu
Kernel: 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: ppa:mrazavi/gvm APT repository
We used the GVM above to scan a server with NGINX v1.18. The OpenVAS scanner identified:
In the CVE scanner results, and as per NIST, this has no known CVEs:
However, when we scanned the same server with a different tool CVE-2021-23017 was identified. This CVE affects NGINX 0.6.18 <= version < 1.20.1, and so does look like it applies to this server. (Btw, our GVM has this CVE definition.)
I believe the second vulnerability scanner identified our NGINX as follows, i.e. with vendor F5 Networks:
As-per NIST this CPE has the one known CVE 2021-23017:
I could easily be missing something, but it looks to me that this is the same NGINX software. That when F5 acquired NGINX what was once referred to as “cpe:/a:nginx:nginx” began to be called “cpe:/a:f5:nginx”
If this is the case then ideally the GVMs CVE scanner would have also reported CVE-2021-23017 against this NGINX v1.18 server. (Perhaps by matching CVEs from both of these CPEs…)
Can someone help me with these questions?
Is my assumption about the CPE change correct and is f5:nginx an alias/rename of nginx:nginx?
And if this is true, is there a way to configure or otherwise use the GVM so it would report CVE-2021-23017 against NGINX 1.18.0?
Thanks very much for your time and all the work done on this product!