False postive on Debian images

[Oneiroi]

IDs

CVE-2001-1534,TEMP-0841856-B18BAF

Description

PHP:8-apache-bookwork false-positives

Within the trivy image php:8-apache-bookworm we see reports for example such as:

CVE-2001-1534 - mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.

On startup it can be observed the image is running Apache 2.4.57 [Wed Jan 24 11:40:26.811835 2024] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) PHP/8.3.2 configured -- resuming normal operations

ii  apache2                       2.4.57-2                       arm64        Apache HTTP Server
ii  apache2-bin                   2.4.57-2                       arm64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                  2.4.57-2                       all          Apache HTTP Server (common files)
ii  apache2-utils                 2.4.57-2                       arm64        Apache HTTP Server (utility programs for web servers)```

`mod_usertrack` is in the apache mods avaialble, though not enabled itself:

```root@9db737b4e3c4:/var/www/html# cat /etc/apache2/mods-available/usertrack.load 
LoadModule usertrack_module /usr/lib/apache2/modules/mod_usertrack.so
root@9db737b4e3c4:/var/www/html# ls -la /etc/apache2/mods-enabled/ | grep user
lrwxrwxrwx 1 root root   33 Jan 11 03:34 authz_user.load -> ../mods-available/authz_user.load
root@9db737b4e3c4:/var/www/html# apachectl -t -l
Compiled in modules:
  core.c
  mod_so.c
  mod_watchdog.c
  http_core.c
  mod_log_config.c
  mod_logio.c
  mod_version.c
  mod_unixd.c
root@9db737b4e3c4:/var/www/html# apachectl -t -M
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)

Moreover reviewing https://nvd.nist.gov/vuln/detail/CVE-2001-1534 see the statement from RedHat:

OFFICIAL STATEMENT FROM RED HAT (08/30/2006)
This is not a security issue. The mod_usertrack cookies are not designed to be used for authentication.

-f json snippet

"VulnerabilityID": "CVE-2001-1534",
          "PkgID": "apache2@2.4.57-2",
          "PkgName": "apache2",
          "InstalledVersion": "2.4.57-2",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:ea67ae2bde3303f6e68d4e0f2e641771894224010749cd780d5b602f500d3c81",
            "DiffID": "sha256:144756fc5594794ec34b73106dce806e3e4468c19b809b4501d70ae8bf95a3c2"
          },
          ...
           "References": [
            "http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html",
            "http://www.iss.net/security_center/static/7494.php",
            "http://www.securityfocus.com/bid/3521"
          ],
          "PublishedDate": "2001-12-31T05:00:00Z",
          "LastModifiedDate": "2021-07-15T20:37:56.323Z"

1. apache versions do not match those noted as vulnerable
2. the references noted in the -f json ouput, are unreachable or 404.

Debian false-positives

root@9db737b4e3c4:/var/www/html# cat /etc/debian_version
12.4

Debian version is correctly detected by Trivy: php:8-apache-bookworm (**debian 12.4**)

Vulberability TEMP-0841856-B18BAF prently reports 'not found'

Vulnerability TEMP-0000000-F7A20F notes whilst report from for Linux 2.6 Kernel this does not contain the affected code, admittedly the link notes the main linux package is vulnerable perhaps this accounts for the positive status , seems perhaps upstream debate on this also has not resulted in a positive correction at the time of writing, that and as the Debian tracker link notes the vulnerability as "unimportant" we may never see resolution for this particular issue whether or not this is a false positive seems entirely dependant on the individuals point of view, unsure if we can exclude 'TEMP-' items in the future to account for such ambiguity ?

Vulnerability TEMP-0628843-DB-AD28 presently returns "not found" additionlly it is noted [more related to CVE-2005-4890] seems this may have not been fully merged?

On review of CVE-2005-4890 it is noted this is fixed in the Debian version, for the sudo and shadow packages, which upon review, neither are present within the container.

Additionally Trivy notes that TEMP-0628843-DBAD28 affected passwd the verison of which is installed being: 1:4.13+dfsg1-1+b1 however the CVE-2005-4890 does not passwd as being affected, liekly a case of stale data in this particular case presuming the now unavailable TEMP-0628843-DBAD28 noted passwd as being affected with the CVE-2005-4890 noting instead that shadow is.

TEMP-0517018-A83CE6 appear internal debtae is ongoing on whether or not this is unimportant or low ; maybe not a Trivy issue more an upstream problem showing unpatched and vulnerable at the time of writing.

TEMP-0290435-0B57B5 another case of internal debate, seems the tracker shows as vulnerable whilst notes suggest this is not the case.

Reproduction Steps

1. `trivy image php:8-apache-bookworm`

Target

Container Image

Scanner

Vulnerability

Target OS

debian 12.4

Debug Output

trivy image php:8-apache-bookworm --debug      
2024-01-24T12:46:38.397Z    DEBUG    Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-24T12:46:38.397Z        DEBUG    Ignore statuses {"statuses": null}
2024-01-24T12:46:38.402Z        DEBUG    cache dir:  /Users/aegishjalmur/Library/Caches/trivy
2024-01-24T12:46:38.403Z        INFO     Need to update DB
2024-01-24T12:46:38.403Z        INFO     DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-24T12:46:38.403Z        INFO     Downloading DB...
42.47 MiB / 42.47 MiB [-----------------------------------------------------------------------------------------------------------------] 100.00% 5.12 MiB p/s 8.5s
2024-01-24T12:46:47.808Z        DEBUG    Updating database metadata...
2024-01-24T12:46:47.808Z        DEBUG    DB Schema: 2, UpdatedAt: 2024-01-24 12:13:22.639022174 +0000 UTC, NextUpdate: 2024-01-24 18:13:22.639021844 +0000 UTC, DownloadedAt: 2024-01-24 12:46:47.808163 +0000 UTC
2024-01-24T12:46:47.809Z        INFO     Vulnerability scanning is enabled
2024-01-24T12:46:47.809Z        DEBUG    Vulnerability type:  [os library]
2024-01-24T12:46:47.809Z        INFO     Secret scanning is enabled
2024-01-24T12:46:47.809Z        INFO     If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-24T12:46:47.809Z        INFO     Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-24T12:46:47.809Z        DEBUG    Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-24T12:46:49.025Z        DEBUG    No secret config detected: trivy-secret.yaml
2024-01-24T12:46:49.026Z        DEBUG    The nuget packages directory couldn't be found. License search disabled
2024-01-24T12:46:49.027Z        DEBUG    No secret config detected: trivy-secret.yaml
2024-01-24T12:46:49.291Z        DEBUG    Image ID: sha256:c2ddac79b604051d5f96d102fb7cc40238f53c0d077f0290c9ddc46a9b0157c6
2024-01-24T12:46:49.291Z        DEBUG    Diff IDs: [sha256:571ade696b261f0ff46e3cdac4635afc009c4ed3429950cb95cd7e5f70ba0a07 sha256:40c592e990b3cd7e4b4b72519825c2492dda317073365956bbfb1d961dfa47ca sha256:d26d02e35df24f959af5dcc75184ac3bd62f5f783c70d59bff09992fcfb2e496 sha256:a8e13f02e9db329b4a62a68252a7a8e75f63ade89fca2fa098cb09d5dff494d7 sha256:144756fc5594794ec34b73106dce806e3e4468c19b809b4501d70ae8bf95a3c2 sha256:c0c8d17d49b3ef917b0953a4cfe0b67cef6d89695b486fca680d312794126e13 sha256:b3b06999ffde4d69f039227599a97aac8c4176f5ee05474451ed6f0ec705e0b0 sha256:246485baa8bd281da569cec8c6a613ffead7eeb4a708dd1079da3f643b5f0c7d sha256:67ef36c0d747d282d6a44591a9e6d49a51f06f65dc9f15902c965f9a5194bcac sha256:6ed16f499ec1e233488e257d276ac2e41bd90bb5b2ae59e5faf345dca5909489 sha256:ffc119995b5ce190004bfac060a76ff198bc56de95a2a7eae231661c047fde50 sha256:9964614552c26f1cd2d4263b3b8aae0eb11bf12428eae240a69c8b4f5c762f81 sha256:5959d3d0d9bacb9b99a446feaae4037f2e61283e27db283b4af9261183a85d92]
2024-01-24T12:46:49.291Z        DEBUG    Base Layers: [sha256:571ade696b261f0ff46e3cdac4635afc009c4ed3429950cb95cd7e5f70ba0a07]
2024-01-24T12:46:49.311Z        INFO     Detected OS: debian
2024-01-24T12:46:49.311Z        INFO     Detecting Debian vulnerabilities...
2024-01-24T12:46:49.312Z        DEBUG    debian: os version: 12
2024-01-24T12:46:49.312Z        DEBUG    debian: the number of packages: 187
2024-01-24T12:46:49.338Z        INFO     Number of language-specific files: 0

php:8-apache-bookworm (debian 12.4)

Total: 358 (UNKNOWN: 6, LOW: 256, MEDIUM: 70, HIGH: 25, CRITICAL: 1)
... <truncated for brevity>

Version

trivy --version
Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-24 12:13:22.639022174 +0000 UTC
  NextUpdate: 2024-01-24 18:13:22.639021844 +0000 UTC
  DownloadedAt: 2024-01-24 12:46:47.808163 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[timwsuqld]

This is still an issue with Debian 13, and Apache 2.4.65-2

trivy image  php:8.3-apache --debug |grep 2001-1534
2025-12-11T15:00:33+10:00	DEBUG	No plugins loaded
2025-12-11T15:00:33+10:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-11T15:00:33+10:00	DEBUG	Cache dir	dir="/home/timw/.cache/trivy"
2025-12-11T15:00:33+10:00	DEBUG	Cache dir	dir="/home/timw/.cache/trivy"
2025-12-11T15:00:33+10:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-11T15:00:33+10:00	DEBUG	Ignore statuses	statuses=[]
2025-12-11T15:00:33+10:00	DEBUG	DB update was skipped because the local DB is the latest
2025-12-11T15:00:33+10:00	DEBUG	DB info	schema=2 updated_at=2025-12-11T00:35:54.612905115Z next_update=2025-12-12T00:35:54.612904855Z downloaded_at=2025-12-11T04:34:39.521351686Z
2025-12-11T15:00:33+10:00	DEBUG	[pkg] Package types	types=[os library]
2025-12-11T15:00:33+10:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-12-11T15:00:33+10:00	INFO	[vuln] Vulnerability scanning is enabled
2025-12-11T15:00:33+10:00	INFO	[secret] Secret scanning is enabled
2025-12-11T15:00:33+10:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-12-11T15:00:33+10:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-12-11T15:00:33+10:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-12-11T15:00:33+10:00	DEBUG	Initializing scan cache...	type="fs"
2025-12-11T15:00:35+10:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-12-11T15:00:35+10:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-12-11T15:00:35+10:00	DEBUG	[image] Detected image ID	image_id="sha256:52626f711799ffed01f8d494e56b32bf38332892fbd6c6021408d785f2adc75d"
2025-12-11T15:00:35+10:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:77a2b55fbe8b9984ce0af3ffc0b0ab62507668e63306ec161a585e587a3eb164 sha256:7710480853fba23f24ebb0376da8d058bfcc48fbda32ea76f452a79d64f58fd5 sha256:dcffa2072465c3807871566b5ec38b64974595b7b8e6cb61ab7d75ea96a947c6 sha256:10d226b781e6ed9cfae6a374e380e366a63f523558ecc192f27b1e50ca1a0794 sha256:637b8cf816fb8d354f89b204196d0e0acbd4da79803f4f003cdaa9d4ea7f7738 sha256:c7dddd7035ec6d3c2c81af237b6e5b1ad3e295cbf4c79c94b12cf06f72b820e9 sha256:fa82deddf2eb2655fba68f95d1c1e49c1c8ba770975176dc211fa9a38f710661 sha256:282568f740f58852765e9fa7464965fcca30c2acf4081a94c13010c258758517 sha256:4621d3cd4fe7cb63eb87f91550102fb8824319829b0c678e3bdb25b1cb0ce05a sha256:42f1011305aa887996de6759f7f2485da06fda10651fee1460e9d9702a10dd42 sha256:255e72fe5f74c18b9a60cf659687c4f52a61d1b3bac1a1a7ae5d32ad4574687e sha256:c63d6f90e56c3b6e58db2e51af285f09d265f23f079bd4e3b0fa7a5d1315b5d1 sha256:8bdfe7844aaae18144196f0111170e7b069429d816ecd1f00868a2d01d5551ed sha256:5621a5cd84ce0d5b1cb85d9d6e948eb97d29519dfc50a4f362e3ac75ed85dcd1 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2025-12-11T15:00:35+10:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-12-11T15:00:35+10:00	INFO	Detected OS	family="debian" version="13.2"
2025-12-11T15:00:35+10:00	INFO	[debian] Detecting vulnerabilities...	os_version="13" pkg_num=186
2025-12-11T15:00:35+10:00	INFO	Number of language-specific files	num=0
2025-12-11T15:00:35+10:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2025-12-11T15:00:35+10:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-11T15:00:35+10:00	DEBUG	[vex] VEX filtering is disabled
│                           │ CVE-2001-1534       │ LOW      │              │                                      │               │ mod_usertrack in Apache 1.3.11 through 1.3.20 generates      │
│                           │                     │          │              │                                      │               │ https://avd.aquasec.com/nvd/cve-2001-1534                    │
│                           │ CVE-2001-1534       │ LOW      │              │                                      │               │ mod_usertrack in Apache 1.3.11 through 1.3.20 generates      │
│                           │                     │          │              │                                      │               │ https://avd.aquasec.com/nvd/cve-2001-1534                    │
│                           │ CVE-2001-1534       │ LOW      │              │                                      │               │ mod_usertrack in Apache 1.3.11 through 1.3.20 generates      │
│                           │                     │          │              │                                      │               │ https://avd.aquasec.com/nvd/cve-2001-1534                    │
│                           │ CVE-2001-1534       │ LOW      │              │                                      │               │ mod_usertrack in Apache 1.3.11 through 1.3.20 generates      │
│                           │                     │          │              │                                      │               │ https://avd.aquasec.com/nvd/cve-2001-1534    

trivy --version
Version: 0.58.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-11 00:35:54.612905115 +0000 UTC
  NextUpdate: 2025-12-12 00:35:54.612904855 +0000 UTC
  DownloadedAt: 2025-12-11 04:34:39.521351686 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-12-11 04:34:40.749145986 +0000 UTC

Using latest Docker version of trivy gives same results

trivy --version
Version: 0.68.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-04 00:32:50.275041742 +0000 UTC
  NextUpdate: 2025-12-05 00:32:50.275041431 +0000 UTC
  DownloadedAt: 2025-12-04 04:35:17.546333153 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-30 00:59:57.65346071 +0000 UTC
  NextUpdate: 2025-12-03 00:59:57.653460519 +0000 UTC
  DownloadedAt: 2025-12-03 04:42:48.260411139 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-12-04 04:36:24.490575106 +0000 UTC