False positive for CVE-2023-51074

[onobc]

IDs

CVE-2023-51074

Description

Trivy incorrectly detects CVE-2023-51074 for json-path version 2.7.0 when the vulnerability is not until 2.8.0.

Reproduction Steps

Steps to reproduce:
1. Create project w/ dependency on json-path 2.7.0
2. Run Trivy scan on project

Report yields:


 com.jayway.jsonpath:json-path (json-path-2.7.0.jar)    │ CVE-2023-51074   │ HIGH     │ affected │ 2.7.0             │               │ json-path: stack-based buffer overflow in Criteria.parse     │
│                                                        │                  │          │          │                   │               │ method                                                       │
│                                                        │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-51074

Target

Container Image

Scanner

Vulnerability

Target OS

Mac OS Monterrey

Debug Output

NA

Version

Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-17 18:14:10.301525768 +0000 UTC
  NextUpdate: 2024-01-18 00:14:10.301525488 +0000 UTC
  DownloadedAt: 2024-01-17 19:23:09.795357 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-17 00:47:27.504481066 +0000 UTC
  NextUpdate: 2024-01-20 00:47:27.504480936 +0000 UTC
  DownloadedAt: 2024-01-17 19:23:32.223686 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @onobc
Thanks for your report!

Looks like v2.7.0 is also vulnerable - json-path/JsonPath#973 (comment)
I think CVE-2023-51074 has incorrect description.
If you disagree with this - suggest improvements for this CVE in GitHub page, please

Regards, Dmitriy.

[onobc]

You are correct @DmitriyLewen . It looks like they have since adjusted the advisory to properly state Affected versions <= 2.8.0. Thanks for clarifying.