Known CVE not detected by GVM, why?


I have a Debian11 system with vulnerability in libcurl (package name: libcurl4, version 7.74.0-1.3).
It has a vulnerability: CVE-2022-32221 with critical severity.
I ran a two scans:

  1. Full and fast with OpenVAS default scanner with credentials (with privilege escalation credentials).
  2. After the above finishes: a new scan with CVE scanner (with credentials)

Unfortunatley the CVE is NOT found (even though the CVE is in the CVE database).

The NVT and CVE DBs are up to date.

Can someone please help here?


That CVE is handled by the Debian local security checks, please ensure that the Notus Scanner is working correctly.

The CVE scanner can only match CPEs that are collected previously. You need to do a authenticated scan against this.


Thanks for quick response. Actually the notus-scanner is running (as I checked it is a python script, nonetheless it is run by systemd - notus-scanner.service).

But in the scanners list (Configuration → scanners) I can see only “CVE” and OpenVAS Default scanner - there’s no information about notus scanner.

Btw. I checked notus-scanner log file (in the /var/log/notus-scanner) and there is only a single entry saying: “INFO (notus.scanner.daemon) Starting notus-scanner version 22.4.4.”
Nothing more :expressionless:

Is there any special configuration I need to create/set in order for this to run?

I think you may have missed this part from Lukas’ reply:

Go to Configuration → Credentials and add credentials for the system you want to scan, because otherwise there won’t be an authenticated scan but rather a blackbox scan that cannot pick up this vulnerability.