Vulnerability - Edge version vs. Chromium version

sgarrand · June 5, 2024, 3:35pm

Hello Everyone,

We are new customers of Rapid7 InsightVM and we’re seeing 4 vulnerabilities related to the Edge Chromium browser. These are CVE-2024-5157 through 5160. These are false as far as I can tell.

The proof says: “Vulnerable software installed: Microsoft Edge 125.0.2535.85” and in the links below, the MS link says that 125.0.2535.67 is the fixed version.

I had a bit of a back and forth with Francis from support (Case # 07050326) and he revealed the logic that Rapid7 uses for this:

Our check for this CVE-2024-5158 states that any version within the range will be flagged as vulnerable.

<Product vendor="Microsoft" family="Edge">
      <version>
        <range>
          <low inclusive="1">79.0.0.0</low>
          <high inclusive="0">125.0.6422.76</high>
        </range>
      </version>
    </Product>

That 125.0.6422.76 is a Chromium version. Edge is not up to 6422 yet. The last vulnerable version of Edge was 125.0.2535.51. Am I totally off base here?

Scott

sstellezreyes · June 5, 2024, 10:03pm

I am seeing the same vulnerabilities in our systems, what would be the right solution for this ?

sgarrand · June 6, 2024, 12:36pm

The solution would be for Rapid7 to adjust their criteria for the vulnerability. They have all Edge versions as being vulnerable now because the upper end of the check is a Chromium version instead of an Edge version.

kevin_mccabe · June 6, 2024, 12:40pm

Hi,

This does look to be an issue with the content automation picking up the Chromium version instead of the Edge version.

This has been corrected and will be available later today in the content release.

We are also reviewing why we picked up the Chromium version and will update our automation to prevent this in the future.