Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrongly reports influxdb 1.11.8 as vulnerable #278

Open
lorenzo-dev1 opened this issue Jan 29, 2025 · 0 comments
Open

Wrongly reports influxdb 1.11.8 as vulnerable #278

lorenzo-dev1 opened this issue Jan 29, 2025 · 0 comments

Comments

@lorenzo-dev1
Copy link

The description of CVE-2022-36640 states that versions before v1.8.10 are vulnerable, however v1.11.8 gets still detected as vulnerable.

pkg:golang/github.com/influxdata/[email protected]                                                                                                                                                                                                                     
1 known vulnerabilities affecting installed version                                                                                                                                                                                                                   
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓                                         
┃ [CVE-2022-36640] CWE-276: Incorrect Default Permissions                                                                                                                                                                   ┃                                         
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫                                         
┃ Description        ┃ influxData influxDB before v1.8.10 contains no authentication mechanism or                                                                                                                           ┃                                         
┃                    ┃ controls, allowing unauthenticated attackers to execute arbitrary commands.                                                                                                                          ┃                                         
┃                    ┃ NOTE: the CVE ID assignment is disputed because the vendor's documentation                                                                                                                           ┃                                         
┃                    ┃ states "If InfluxDB is being deployed on a publicly accessible endpoint, we                                                                                                                          ┃                                         
┃                    ┃ strongly recommend authentication be enabled. Otherwise the data will be                                                                                                                             ┃                                         
┃                    ┃ publicly available to any unauthenticated user. The default settings do NOT                                                                                                                          ┃                                         
┃                    ┃ enable authentication and authorization.                                                                                                                                                             ┃                                         
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫                                         
┃ OSS Index ID       ┃ CVE-2022-36640                                                                                                                                                                                       ┃                                         
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫                                         
┃ CVSS Score         ┃ 9.8/10 (Critical)                                                                                                                                                                                    ┃                                         
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫                                         
┃ CVSS Vector        ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                                                                                                                                         ┃                                         
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫                                         
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-36640?component-type=golang&component-name=github.com%2Finfluxdata%2Finfluxdb&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.46 ┃
@lorenzo-dev1 lorenzo-dev1 changed the title Wrongly reports influxdb as vulnerable Wrongly reports influxdb 1.11.8 as vulnerable Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lorenzo-dev1