The Fixed Version for Nginx package is older than the current one (amazon 2023.6.20241121 (Amazon Linux))

[serhii-ciq]

Description

Hello!
I performed a Trivy scan for my docker image and found the strange behavior for the suggested package:

nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.26.2-1.amzn2023.ngx │ 1:1.24.0-1.amzn2023.0.2

It shows that fixed version 1:1.24.0-1.amzn2023.0.2 is older than my current version (1.26.2-1.amzn2023.ngx)

Could you please check it, probably this is a wrong suggestion.

Desired Behavior

The fixed version should be newer than the vulnerable version

Actual Behavior

The fixed version is older than the vulnerable version

Reproduction Steps

trivy image my-custom-nginx-build:latest

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

None

Debug Output

========================================================================================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │   Installed Version   │      Fixed Version      │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.26.2-1.amzn2023.ngx │ 1:1.24.0-1.amzn2023.0.2 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│         │                │          │        │                       │                         │ to a DDoS attack...                                          │
│         │                │          │        │                       │                         │ https://avd.aquasec.com/nvd/cve-2023-44487                   │

### Operating System

Windows

### Version

```bash
Version: 0.58.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-02 06:13:46.948760983 +0000 UTC
  NextUpdate: 2025-01-03 06:13:46.948760592 +0000 UTC
  DownloadedAt: 2025-01-02 10:15:54.6988347 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[itaysk]

didn't investigate this just a quick note that that the fixed version includes an epoch (the 1: prefix) which makes it greater than the installed version. this is the advisory details: https://alas.aws.amazon.com/AL2023/ALAS-2023-393.html

[serhii-ciq]

Thanks @itaysk
You are right. This is my bad :(
To install Nginx we use the official Nginx repo instead of the AmazonLinux repo.
The CVE updates appear in the official Nginx repo from time to time https://nginx.org/en/CHANGES