Grype is wrong about CVE-2024-37371 in libkrb5-3@1.20.1-2+deb12u2

Omri1100 · March 30, 2025, 1:35pm

Im using grype in order to see what CVEs are a match for libkrb5-3@1.20.1-2+deb12u2 (purl: ''pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&upstream=krb5&distro=debian")

And im getting CVE-2024-37371 as a match.
According to debian security tracker this version should have this CVE fixed.
Am I missing something?

SBOM I used:

{
    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "version": 1,
    "metadata": {
        "timestamp": "2025-03-30T13:21:30.733Z",
        "tools": [
            {
                "vendor": "anchore",
                "name": "syft"
            }
        ],
        "component": {
            "type": "library",
            "name": "libkrb5-3:1.20.1-2+deb12u2",
            "bom-ref": "BomRef.mra4425cguo.0jrk04bhd1"
        }
    },
    "components": [
        {
            "type": "library",
            "name": "libkrb5-3",
            "version": "1.20.1-2+deb12u2",
            "bom-ref": "BomRef.s99gd870nd8.ogo8kh99fso",
            "purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&distro=debian&upstream=krb5",
            "properties": [
                {
                    "name": "syft:package:metadataType",
                    "value": "dpkg-db-entry"
                },
                {
                    "name": "syft:metadata:source",
                    "value": "krb5"
                },
                {
                    "name": "syft:metadata:metadataType",
                    "value": "dpkg-db-entry"
                },
                {
                    "name": "syft:metadata:installedSize",
                    "value": "1163"
                }
            ]
        }
    ],
    "dependencies": [
        {
            "ref": "BomRef.mra4425cguo.0jrk04bhd1"
        },
        {
            "ref": "BomRef.s99gd870nd8.ogo8kh99fso"
        }
    ]
}

Thanks a lot!

willmurphy · April 2, 2025, 2:41pm

Hi @Omri1100,

Can you share the exact command you’re running?

I created a local file called cdx.json that contains the JSON from your post, and I tried the following things:

grype sbom:cdx.json
grype --distro debian:12 sbom:cdx.json

The first prints nothing, but warns to specify a distro. The second, which specifies a distro, prints a few vulns, but not CVE-2024-37371.

Is grype still reporting this false positive for you? Did I miss a step in how you’re reproducing it?

Omri1100 · April 3, 2025, 7:40am

Hi @willmurphy

The command I used is:

grype --add-cpes-if-none --by-cve -q -o json  sbom:./sbom.json

You are right when adding --distro, grype prints more CVEs but not the one Im looking for.
You reproduced the case correctly.

Thank you

willmurphy · April 3, 2025, 1:51pm

Hi @Omri1100,

I’m confused! It sounded like you were reporting a false positive, that is, Grype is showing you a vulnerability you believe shouldn’t be present. Is that right?

And im getting CVE-2024-37371 as a match.

That sounds like you didn’t expect to see CVE-2024-37371, but you did see it. Is that right? When I run Grype, I don’t see it, so I’m curious what’s different.

What version of Grype are you using (run grype version)?

I’m happy to help, but I feel like I don’t quite understand the problem. Please let me know how I can help!

Omri1100 · April 6, 2025, 7:59am

Hey!

Im sorry for the confusion, I made a mistake.
The command I use is:

grype --add-cpes-if-none --by-cve -q -o json --distro debian sbom:./sbom.json

I am getting ‘CVE-2024-37371’ as a match for the SBOM I sent above, and yes I expect not to see it.
I did run grype db update before running the command above

Part of the matches output:

    "matches": [
        {
            "vulnerability": {
                "id": "CVE-2024-37371",
                "dataSource": "https://security-tracker.debian.org/tracker/CVE-2024-37371",
                "namespace": "debian:distro:debian:13",
                "severity": "Critical",
                "urls": [],
                "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.",
                "cvss": [
                    {
                        "source": "nvd@nist.gov",
                        "type": "Primary",
                        "version": "3.1",
                        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                        "metrics": {
                            "baseScore": 9.1,
                            "exploitabilityScore": 3.9,
                            "impactScore": 5.2
                        },
                        "vendorMetadata": {}
                    }
                ],
                "epss": [
                    {
                        "cve": "CVE-2024-37371",
                        "epss": 0.00481,
                        "percentile": 0.62492,
                        "date": "2025-04-05"
                    }
                ],
                "fix": {
                    "versions": [
                        "1.21.3-1"
                    ],
                    "state": "fixed"
                },
                "advisories": []
            },
            "relatedVulnerabilities": [],
            "matchDetails": [
                {
                    "type": "exact-indirect-match",
                    "matcher": "dpkg-matcher",
                    "searchedBy": {
                        "distro": {
                            "type": "debian",
                            "version": ""
                        },
                        "namespace": "debian:distro:debian:unstable",
                        "package": {
                            "name": "krb5",
                            "version": "1.20.1-2+deb12u2"
                        }
                    },
                    "found": {
                        "versionConstraint": "< 1.21.3-1 (deb)",
                        "vulnerabilityID": "CVE-2024-37371"
                    },
                    "fix": {
                        "suggestedVersion": "1.21.3-1"
                    }
                }
            ],
            "artifact": {
                "id": "4b7da8dbdce378b7",
                "name": "libkrb5-3",
                "version": "1.20.1-2+deb12u2",
                "type": "deb",
                "locations": null,
                "language": "",
                "licenses": [],
                "cpes": [
                    "cpe:2.3:a:libkrb5-3:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5-3:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5_3:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5_3:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*"
                ],
                "purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&distro=debian&upstream=krb5",
                "upstreams": [
                    {
                        "name": "krb5"
                    }
                ]
            }
        }
]

willmurphy · April 7, 2025, 2:35pm

Thanks for these details @Omri1100 !

What version of debian are you trying to scan against? When you pass grype --distro debian, Grype searches against every version of Debian. That’s the difference between our commands:

Finds the vuln:

grype --add-cpes-if-none -q --distro debian sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN     TYPE  VULNERABILITY   SEVERITY
libkrb5-3  1.20.1-2+deb12u2  1.21.3-1     deb   CVE-2024-37371  Critical    (debian:13)
# note that there is no distro version specified, but Grype found a debian:13 vuln!

Does not find the vuln:

grype --add-cpes-if-none -q --distro debian:12 sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN     TYPE  VULNERABILITY   SEVERITY
# note: when debian:12 is specified grype does not find this vuln

However, if we specify --distro debian:13, we see the vulnerability:

grype --add-cpes-if-none -q --distro debian:13 sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN  TYPE  VULNERABILITY   SEVERITY
libkrb5-3  1.20.1-2+deb12u2  1.21.3-1  deb   CVE-2024-37371  Critical
# note specifying debian:13 causes grype to find this vuln

We can see the following table at the Debian security tracker page:

Package	Type	Release	Fixed Version	Origin
krb5	source	bullseye	1.18.3-6+deb11u5	DSA-5726-1
krb5	source	bookworm	1.20.1-2+deb12u2	DSA-5726-1
krb5	source	(unstable)	1.21.3-1

So what Grype is doing is comparing the package version you have, 1.20.1-2+deb12u2 to the version in unstable / 13: 1.21.3-1, and seeing that it is less. It looks like in this case we could have pulled deb12 out of the PURL and respected it, but I’m not sure we’d want to if the user explicitly passes --distro. See Distro matchers should be guided by package metadata not detected distro · Issue #86 · anchore/grype · GitHub for more discussion there.

TL;DR: if you pass --distro debian:12 instead of just --distro debian, Grype knows which version of Debian you’re asking about and will do the right thing.

Does that answer your question? Is there anything else I can help with on this thread?

Omri1100 · April 9, 2025, 8:46am

Yes, thank you very much!

Topic		Replies	Views
Grype doesnt match CVE-2025-24813 Grype	12	46	March 18, 2025
Does Grype fetches data from different sources or only from NVD Grype	2	87	September 16, 2024
Inconsistent Package Naming in Grype Grype	8	82	November 27, 2024
Grype - v0.79.6 released Announcements release	1	18	January 16, 2025
Grype - v0.91.1 released Announcements release	0	6	April 24, 2025

Grype is wrong about CVE-2024-37371 in libkrb5-3@1.20.1-2+deb12u2

Related topics