Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False negative: recent CISA KEV Tomcat vulnerability CVE-2025-24813 is not being detected #2577

Open
dbrugman opened this issue Apr 2, 2025 · 1 comment
Open

False negative: recent CISA KEV Tomcat vulnerability CVE-2025-24813 is not being detected #2577

dbrugman opened this issue Apr 2, 2025 · 1 comment
Labels
bug Something isn't working false-positive

Comments

@dbrugman
Copy link

dbrugman commented Apr 2, 2025

What happened:
When scanning container images that come with a vulnerable version of Tomcat (e.g., version 9.0.90), this vulnerability does not get detected. Note that this is a Critical vulnerability that has recently been added to the CISA Known Exploited Vulnerabilities (KEV) catalogue, so I think it's important Grype will detect this.

What you expected to happen:
I would expect this vulnerability to get detected, since that version of Tomcat is vulnerable.

How to reproduce it (as minimally and precisely as possible):
Run grype --by-cve tomcat:9.0.90-jdk8-corretto. It should detect CVE-2025-24813, since version 9.0.90 is vulnerable, but it doesn't

Anything else we need to know?:
This seem to be caused because the vulnerable library is tomcat-catalina, e.g. for version 9.0.90: https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina/9.0.90

The associated GHSA, GHSA-83qj-6fr2-vhqg, also lists (correctly) org.apache.tomcat:tomcat-catalina as being impacted: GHSA-83qj-6fr2-vhqg

However, the Tomcat distribution renames this library to just catalina.jar (lib/catalina.jar). The META-INF file does have the original name Bundle-Name: tomcat-catalina, however grype doesn't recognize it as such. When I run syft against the same image as above:

syft tomcat:9.0.90-jdk8-corretto | grep catalina

The library gets detected as:

catalina 9.0.90 java-archive, instead of tomcat-catalina

However, when I run syft with json output, it does include tomcat-catalina in the purl and CPE:

syft -o json tomcat:9.0.90-jdk8-corretto | jq

Snippet of the output:

...
"name": "catalina"
...
"cpe": "cpe:2.3:a:apache:tomcat-catalina:9.0.90:*:*:*:*:*:*:*"
...
"purl": "pkg:maven/org.apache.tomcat-catalina/[email protected]"
...

I've raised a similar issue before (#1799), and have updated GHSA items before (github/advisory-database#4878), but in this case I'm not sure if this is an issue with syft/grype, or the definition in the GHSA.

Environment:

  • Output of grype version: 0.91.0 (linux/amd64)
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 20.04.6 LTS (Focal Fossa)
@dbrugman dbrugman added the bug Something isn't working label Apr 2, 2025
@dbrugman dbrugman changed the title False positive: recent CISA KEV Tomcat vulnerability CVE-2025-24813 is not being detected False negative: recent CISA KEV Tomcat vulnerability CVE-2025-24813 is not being detected Apr 3, 2025
@dbrugman
Copy link
Author

dbrugman commented Apr 3, 2025

I accidentally called this a false positive - it's actually a false negative. I've updated the title - FYI @wagoodman

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @dbrugman