False Negative: Trivy does not detect CVE-2018-11499 on node-sass #2502
Labels
kind/security-advisory
Categorizes issue or PR as related to security advisories.
Comments
knqyf263
added
kind/security-advisory
|
You can raise an issue to GitHub. Or GitLab. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
-f jsonthat shows data sources and make sure that the security advisory is correct.Description
CVE-2018-11499
From NVD:
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
node-sass is a Node.js package for libsass
node-sass package versions >=4.4.0 and < 4.13.1 are vulnerable to this CVEs because it "libsass" <= 3.5.4
in node-sass 4.13.1 they upgraded libsass to 3.6.x
I believe this is a FN and the CVE should be added to the trivy DB
this is the issue in node-sass that upgraded libsass to fix the CVE
sass/node-sass#2720
trivy -v
Version: 0.25.3
Vulnerability DB:
Version: 2
UpdatedAt: 2022-07-12 06:06:06.717469085 +0000 UTC
NextUpdate: 2022-07-12 12:06:06.717468685 +0000 UTC
DownloadedAt: 2022-07-12 22:43:05.784647 +0000 UTC
The text was updated successfully, but these errors were encountered: