I observed that unquoted path vulnerability detection script namely “gb_unquoted_path_vulnerabilities_win.nasl” produces some false positives. Script looks for vulnerable services but if it founds any of them than it reports 56 different CVEs.
All the CVEs are related to Unquoted Path Vulnerability but not all of them may be related to service that the script finds. For example, CVE-2016-8769 relates to a Huawei service, and CVE-2015-4173 relates to Dell SonicWall NetExtender software which I’m sure that I don’t have any product in my system.
Maybe a detailed check for these CPEs of the reported CVEs must be written in the script.
GVM doesn’t provide the possibility to NASL scripts to define / report specific or single CVEs during their runtime and only the static reference via
script_cve_id() is available.
For this specific VT a middle ground had to be found to cover all CVEs related to this unquoted path vulnerability without writing a VT for each single CVE (which would also mean a performance impact while scanning). So this VT was implemented in the current way on purpose with the possibilities GVM is providing and can’t / won’t be changed.
Note that “false positive” is not correct in this scope. As long as the reporting related to the “unquoted path vulnerability” is correct there is no false positive involved here if some of the referenced CVEs are just not matching the vulnerability.