Vulnerability detector identifying wrong version

[Arthur Henrique Oliveira Aparício]

Hello there!

I was checking the vulnerabilities in my environment (mainly with the preview update) for the new CVE-2024-6387, and I found some of the records showing to be in recent versions of openssh (and its variations) (like those in the photo below).

It is possible to notice that the version presented is 1:9.2p1-2 (which in Debian-based systems have 1: before the number, and this specific one is from the end of last year), and even so, the module identified it as below of 4.6, most likely because it understands the 1: as indicative of a version 1, and not 9. 

Although I haven't researched much, I believe there may be more packages like this. Furthermore, sometimes certain CVEs are found for x version of a package, but are resolved in the next check. This is before we even acted. I believe it is because some packages are present in more than one version in the system, which can confuse the system that finds the package, and then finds another one. 

I can't say if it's an error exactly, but it doesn't seem to be checking correctly. I am currently on version 4.8 of the manager, while some agents are still on versions from 4.7.2. All in One Installation.

Thank you in advance for your attention

[Matías David Mercado Aragonés]

Hi Arthur,

I will check this on my local environment to determine if this issue is related to the new vulnerability detector. If it turns out to be a genuine issue, we can inform our development team. First, I will attempt to reproduce this in a local environment. I will keep you posted.

Regards,
Matías.