Skip to content

Wrong CVEs reported for rancher desktop #1647

New issue
New issue
Open
Bug
Open
Wrong CVEs reported for rancher desktop#1647
Bug
Labels
securityCVEs or other vulnerabilitiesworkflowGitHub actions (CI,CD,update urls/CVEs)
@hohwille

Description

@hohwille
hohwille
opened on Dec 8, 2025

Actual behavior

For current version 1.21.0 of tool docker/rancher we found 5 CVE(s):
CVE-2019-5736 with severity 8.6 and affected versions: [(,18.09.2)]
https://nvd.nist.gov/vuln/detail/CVE-2019-5736
 
CVE-2020-27534 with severity 5.3 and affected versions: [(,19.03.9)]
https://nvd.nist.gov/vuln/detail/CVE-2020-27534
 
CVE-2021-21284 with severity 6.8 and affected versions: [(,19.03.15), [20.0.0,20.10.3)]
https://nvd.nist.gov/vuln/detail/CVE-2021-21284
 
CVE-2021-21285 with severity 6.5 and affected versions: [(,19.03.15), [20.0.0,20.10.3)]
https://nvd.nist.gov/vuln/detail/CVE-2021-21285
 
CVE-2022-25365 with severity 7.8 and affected versions: [(,4.5.1)]
https://nvd.nist.gov/vuln/detail/CVE-2022-25365

Several CVEs like CVE-2022-25365 do not belong to the product rancher desktop but to the core of docker itself (and not even Docker Desktop).
The problem is that the version of Rancher Desktop is checked here against CVEs from docker core product that has a totally different version schema. This results in incorrectly reported issues.
CPE matching is way more complex and messy than expected.

Reproduce

ide install docker

Expected behavior

Only valid CVEs should be reported and CVE-2022-25365 is incorrect.

IDEasy status

IDE_ROOT is set to D:/projects
IDE_HOME is set to D:/projects/project
You are online.
Found bash executable at: C:/Program Files/Git/usr/bin/bash.exe
Found git executable at: C:/Program Files/Git/mingw64/bin/git.exe
Your settings are not up-to-date, please run 'ide update'.
Your version of IDEasy is 2025.11.001.
Your are using the latest version of IDEasy and no update is available.
Your operating system is windows(10.0)@x64 [Windows 11@amd64]

Related/Dependent issues

#1143

Comments/Hints

This CVE should not be here:
https://github.com/devonfw/ide-urls/blob/f986619d46a944524589e69d214d8f9412aca588/docker/rancher/security.json#L106-L110

Further, the latest version of rancher desktop in our metadata is 1.21.0 (see here).
My rancher desktop installation is currently 1.20.1 and update check does not show an update is available.
I assume 1.21.0 is not yet marked for automatic roll-out so it seems our metadata is correct.
However, we have many more CVEs that do not seem to make sense then:
https://github.com/devonfw/ide-urls/blob/f986619d46a944524589e69d214d8f9412aca588/docker/rancher/security.json#L98C6-L106C4

Just some examples showing versions that actually do not exist so they are also for the wrong product IMHO.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securityCVEs or other vulnerabilitiesworkflowGitHub actions (CI,CD,update urls/CVEs)

    Type

    Bug

    Projects

    IDEasy board

    Status

    🆕 New

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions