False positive in test

GVM versions

gsad: Greenbone Security Assistant 21.4.3
gvmd: Greenbone Vulnerability Manager 21.4.4
openvas-scanner: OpenVAS 21.4.3
gvm-libs: gvm-libs 21.4.3


Operating system:
Kernel: Linux 5.4.0-92-generic #103-Ubuntu SMP
Installation method / source: source


my last scan has reported some vulnerabilities and after checking with the software provider i understand that they were fixed.

please see the image below

which checking the vulnerabilities themselves it appears that they are for another version of phplist see the next 2 images showing versions 3.5.9 and 3.6.0. as we are currently at version 3.6.7 how can that be fixed ?



Thanks a lot for your posting.

The VT in question has been reviewed for a possible solution at the 18. February, no official information on a fix has been found and thus the affected version has been raised to the latest available version (3.6.7 at this time). This is a standard procedure if vendors are not publishing detailed information / no information at all on affected and fixed versions.

Do you have any official statement (e.g. a changelog entry, a blog post) stating that both CVE-2020-35708/CVE-2021-3188 got fixed and in which version? In this case the version check could be updated / improved accordingly to match the information provided by the vendor.

Related to the last two screenshots:

The versions stated in the CVE entries provided by MITRE are often not a reliable source for all affected and/or fixed versions:

  • If no known fix was available it only reflects the known affected versions at the time of the publication of the entry (e.g. extracted from external links included in the entry)
  • It also not necessarily contains all affected versions

This also means that some one needs to push the information on available fixes to MITRE so that these are reflected in the related CVE entries.

Related to this we also got the following statement from a MITRE representative in the past:

A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements. The products are documented in the CVE references.


after discussing with the PHPList developers it appears that the 2 vulnerabilities where fixed in version 3.6.3.

my discussion with them is at https://github.com/phpList/phplist3/issues/861 and also their list of releases is at https://www.phplist.org/newslist/

they don’t mention the specific CVEs in their security release but that’s a common practice.

Thanks a lot for passing this information. Could you ask the vendor to add the information on the fixed CVEs to e.g. the phpList 3.6.3 released: Security release & feature improvements | phpList.org release notes.

Yes, unfortunately this is common but bad practice and is giving quite a lot headaches for all vulnerability scanners (not only Greenbone specific) relying on accurate information published by vendors.

1 Like

Hi @cfi. Sorry for the late reply but i was on holiday and i was also waiting for an update from phplist.

They have updated the release notes at https://www.phplist.org/newslist/phplist-3-6-6-release-notes/ to include the specs of the security fixes.

Can these be implemented into the scans please? Thank you

Thanks a lot for the follow-up posting. It is strange that the following:

CVE-2020-35708 – resolved in 3.6.0
CVE-2021-3188 – resolved in 3.6.3

was now added in the release announcement for 3.6.6 and not in the related announcements here:

Nonetheless the info should be enough and the related version check(s) will be updated in the next few days accordingly.

Thank you!