Product detection not specific enough, invalid detection of CVE-2021-23017

Hello,

On an CVE scan we noticed this vulnerability being discoverd:

The host carries the product: cpe:/a:nginx:nginx:1.14.0
It is vulnerable according to: CVE-2021-23017.
The product was found at: 443/tcp, 80/tcp.

It’s an ubuntu host 18.04 TLS with the latest supported nginx:

apt-cache show nginx | grep Version
Version: 1.14.0-0ubuntu1.9

I did a rediscovery of the target, but that did not help. Is this a problem of this CVE or a problem with the product discovery?

Kind regards,
Bastiaan

Please see the following documentation around the functionality of the CVE scanner:

https://docs.greenbone.net/GSM-Manual/gos-21.04/en/scanning.html#configuring-a-prognosis-scan

and especially this note included in the documentation:

The CVE scanner might show false positives as it does not check whether the vulnerability actually exists.

Generally the CVE scanner is only taking the version like 1.14.0 into account without checking more specific distribution specific version suffixes like the Ubuntu one. This is by design and the expected functionality.

1 Like

Ignore my ignorance, but why doesnt the CVE scanner go versions deeper? Isn’t it posible to detect 1.14.0-0ubuntu1.9 from the outside?

The CVE scanner basically takes the detected version like 1.14.0, is doing a search like e.g.:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3A%2Fa%3Anginx%3Anginx%3A1.14.0

and reports all CVEs affecting this version. As the NVD database (which is the info from which the CVE scanner is taking the vulnerability information) doesn’t maintain distribution versions like 1.14.0-0ubuntu1.9 the CVE scanner can’t do that as well (at least not as it is currently designed / implemented).

1 Like