Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detecting lack of CVE in openssh #1290

Open
chenjianquan7 opened this issue Nov 1, 2024 · 1 comment · May be fixed by #1292
Open

Detecting lack of CVE in openssh #1290

chenjianquan7 opened this issue Nov 1, 2024 · 1 comment · May be fixed by #1292
Labels

Comments

@chenjianquan7
Copy link

FACT version

4.2

Environment

already update nvd use python install in cve_lookup
i am scan openssh 7.4p1, but leak CVE-2023-51767, (through 9.6)

Steps to reproduce

w

Observed Behavior

w

Expeced Behavior

w

Installation logs

install.log
PASTE HERE

Backend logs

fact_main_backend.log
PASTE HERE

Frontend logs

fact_main_frontend.log
PASTE HERE

Other information

No response

@jstucke
Copy link
Collaborator

jstucke commented Nov 11, 2024

I debugged this a bit and it turns out this has two reasons:

  • the signature for OpenSSH was incomplete and the version was not matched in some cases
  • CPE entries without version constraints are not shown by default (because of many false positives)

These two PRs should fix this issue:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants