Grype is wrong about CVE-2024-37371 in libkrb5-3@1.20.1-2+deb12u2

Im using grype in order to see what CVEs are a match for libkrb5-3@1.20.1-2+deb12u2 (purl: ''pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&upstream=krb5&distro=debian")

And im getting CVE-2024-37371 as a match.
According to debian security tracker this version should have this CVE fixed.
Am I missing something?

SBOM I used:

{
    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "version": 1,
    "metadata": {
        "timestamp": "2025-03-30T13:21:30.733Z",
        "tools": [
            {
                "vendor": "anchore",
                "name": "syft"
            }
        ],
        "component": {
            "type": "library",
            "name": "libkrb5-3:1.20.1-2+deb12u2",
            "bom-ref": "BomRef.mra4425cguo.0jrk04bhd1"
        }
    },
    "components": [
        {
            "type": "library",
            "name": "libkrb5-3",
            "version": "1.20.1-2+deb12u2",
            "bom-ref": "BomRef.s99gd870nd8.ogo8kh99fso",
            "purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&distro=debian&upstream=krb5",
            "properties": [
                {
                    "name": "syft:package:metadataType",
                    "value": "dpkg-db-entry"
                },
                {
                    "name": "syft:metadata:source",
                    "value": "krb5"
                },
                {
                    "name": "syft:metadata:metadataType",
                    "value": "dpkg-db-entry"
                },
                {
                    "name": "syft:metadata:installedSize",
                    "value": "1163"
                }
            ]
        }
    ],
    "dependencies": [
        {
            "ref": "BomRef.mra4425cguo.0jrk04bhd1"
        },
        {
            "ref": "BomRef.s99gd870nd8.ogo8kh99fso"
        }
    ]
}

Thanks a lot!

Hi @Omri1100,

Can you share the exact command you’re running?

I created a local file called cdx.json that contains the JSON from your post, and I tried the following things:

grype sbom:cdx.json
grype --distro debian:12 sbom:cdx.json

The first prints nothing, but warns to specify a distro. The second, which specifies a distro, prints a few vulns, but not CVE-2024-37371.

Is grype still reporting this false positive for you? Did I miss a step in how you’re reproducing it?

Hi @willmurphy

The command I used is:

grype --add-cpes-if-none --by-cve -q -o json  sbom:./sbom.json

You are right when adding --distro, grype prints more CVEs but not the one Im looking for.
You reproduced the case correctly.

Thank you

Hi @Omri1100,

I’m confused! It sounded like you were reporting a false positive, that is, Grype is showing you a vulnerability you believe shouldn’t be present. Is that right?

And im getting CVE-2024-37371 as a match.

That sounds like you didn’t expect to see CVE-2024-37371, but you did see it. Is that right? When I run Grype, I don’t see it, so I’m curious what’s different.

What version of Grype are you using (run grype version)?

I’m happy to help, but I feel like I don’t quite understand the problem. Please let me know how I can help!

Hey!

Im sorry for the confusion, I made a mistake.
The command I use is:

grype --add-cpes-if-none --by-cve -q -o json --distro debian sbom:./sbom.json

I am getting ‘CVE-2024-37371’ as a match for the SBOM I sent above, and yes I expect not to see it.
I did run grype db update before running the command above

Part of the matches output:

    "matches": [
        {
            "vulnerability": {
                "id": "CVE-2024-37371",
                "dataSource": "https://security-tracker.debian.org/tracker/CVE-2024-37371",
                "namespace": "debian:distro:debian:13",
                "severity": "Critical",
                "urls": [],
                "description": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.",
                "cvss": [
                    {
                        "source": "nvd@nist.gov",
                        "type": "Primary",
                        "version": "3.1",
                        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                        "metrics": {
                            "baseScore": 9.1,
                            "exploitabilityScore": 3.9,
                            "impactScore": 5.2
                        },
                        "vendorMetadata": {}
                    }
                ],
                "epss": [
                    {
                        "cve": "CVE-2024-37371",
                        "epss": 0.00481,
                        "percentile": 0.62492,
                        "date": "2025-04-05"
                    }
                ],
                "fix": {
                    "versions": [
                        "1.21.3-1"
                    ],
                    "state": "fixed"
                },
                "advisories": []
            },
            "relatedVulnerabilities": [],
            "matchDetails": [
                {
                    "type": "exact-indirect-match",
                    "matcher": "dpkg-matcher",
                    "searchedBy": {
                        "distro": {
                            "type": "debian",
                            "version": ""
                        },
                        "namespace": "debian:distro:debian:unstable",
                        "package": {
                            "name": "krb5",
                            "version": "1.20.1-2+deb12u2"
                        }
                    },
                    "found": {
                        "versionConstraint": "< 1.21.3-1 (deb)",
                        "vulnerabilityID": "CVE-2024-37371"
                    },
                    "fix": {
                        "suggestedVersion": "1.21.3-1"
                    }
                }
            ],
            "artifact": {
                "id": "4b7da8dbdce378b7",
                "name": "libkrb5-3",
                "version": "1.20.1-2+deb12u2",
                "type": "deb",
                "locations": null,
                "language": "",
                "licenses": [],
                "cpes": [
                    "cpe:2.3:a:libkrb5-3:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5-3:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5_3:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5_3:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5:libkrb5-3:1.20.1-2+deb12u2:*:*:*:*:*:*:*",
                    "cpe:2.3:a:libkrb5:libkrb5_3:1.20.1-2+deb12u2:*:*:*:*:*:*:*"
                ],
                "purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&distro=debian&upstream=krb5",
                "upstreams": [
                    {
                        "name": "krb5"
                    }
                ]
            }
        }
]

Thanks for these details @Omri1100 !

What version of debian are you trying to scan against? When you pass grype --distro debian, Grype searches against every version of Debian. That’s the difference between our commands:

Finds the vuln:

grype --add-cpes-if-none -q --distro debian sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN     TYPE  VULNERABILITY   SEVERITY
libkrb5-3  1.20.1-2+deb12u2  1.21.3-1     deb   CVE-2024-37371  Critical    (debian:13)
# note that there is no distro version specified, but Grype found a debian:13 vuln!

Does not find the vuln:

grype --add-cpes-if-none -q --distro debian:12 sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN     TYPE  VULNERABILITY   SEVERITY
# note: when debian:12 is specified grype does not find this vuln

However, if we specify --distro debian:13, we see the vulnerability:

grype --add-cpes-if-none -q --distro debian:13 sbom:./sbom.json | rg -e NAME -e CVE-2024-37371
NAME       INSTALLED         FIXED-IN  TYPE  VULNERABILITY   SEVERITY
libkrb5-3  1.20.1-2+deb12u2  1.21.3-1  deb   CVE-2024-37371  Critical
# note specifying debian:13 causes grype to find this vuln

We can see the following table at the Debian security tracker page:

Package Type Release Fixed Version Origin
krb5 source bullseye 1.18.3-6+deb11u5 DSA-5726-1
krb5 source bookworm 1.20.1-2+deb12u2 DSA-5726-1
krb5 source (unstable) 1.21.3-1

So what Grype is doing is comparing the package version you have, 1.20.1-2+deb12u2 to the version in unstable / 13: 1.21.3-1, and seeing that it is less. It looks like in this case we could have pulled deb12 out of the PURL and respected it, but I’m not sure we’d want to if the user explicitly passes --distro. See Distro matchers should be guided by package metadata not detected distro · Issue #86 · anchore/grype · GitHub for more discussion there.

TL;DR: if you pass --distro debian:12 instead of just --distro debian, Grype knows which version of Debian you’re asking about and will do the right thing.

Does that answer your question? Is there anything else I can help with on this thread?

Yes, thank you very much!

1 Like