Skip to content

False Positive: GHSA-38jv-5279-wg99 (CVE-2026-21441) urllib3 coming from Python ecosystem #3296

New issue
New issue
Open
Open
False Positive: GHSA-38jv-5279-wg99 (CVE-2026-21441) urllib3 coming from Python ecosystem#3296
Labels
bugSomething isn't workingpackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files
@etarast

Description

@etarast
etarast
opened on Mar 19, 2026

What happened:

Scan on image that has python3-urllib3-1.25.10-150300.4.21.1.noarch installed.
Totally the same with python311-urllib3-2.0.7-150400.7.27.1.noarch installed https://www.suse.com/security/cve/CVE-2026-21441.html

It generates this vulnerability:

urllib3 1.25.10 2.6.3 python GHSA-38jv-5279-wg99 High < 0.1% (6th) < 0.1
urllib3 2.0.7 2.6.3 python GHSA-38jv-5279-wg99 High < 0.1% (6th) < 0.1

What you expected to happen:

According to SUSE Advisory GHSA-9wx4-h78v-vm56

See with this link: https://www.suse.com/security/cve/CVE-2024-35195.html

SUSE Linux Enterprise Server 15 SP7
python3-urllib3 >= 1.25.10-150300.4.21.1
python311-urllib3 >= 2.0.7-150400.7.24.1
python311-urllib3_1 >= 1.26.18-150600.3.6.1

Installed versions in the container:
python3-urllib3-1.25.10-150300.4.21.1.noarch
python311-urllib3-2.0.7-150400.7.27.1.noarch

Conclusion:
SUSE Advisory shown fixed from version python3-requests >= 1.25.10-150300.4.21.1.noarch
The container image is using the same version python3-requests-1.25.10-150300.4.21.1.noarch
The minimum requirement from SLES 15 SP7 is already met, hence, the vulnerability here is a false positive.
At the OS ecosystem, we are at the right recommended level.

If OS vendor applied patc:
A) Will it override programming language,?
B) Can Grype ignore module found in Python ecosystem?

How to reproduce it (as minimally and precisely as possible):

Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6

RUN zypper install -l -y python3 python3-pip
RUN zypper install -l -y python311

RUN zypper in -y --no-recommends python311-urllib3=2.0.7-150400.7.21.1
RUN python3 -m pip install urllib3==1.25.11

ENTRYPOINT [""]
CMD ["bash"]

Build an image from Dockerfile
$ docker build --network=host -t "suse15.7_python311-urllib3:v1" .

Run Syft
$ syft suse15.7_python311-urllib3:v1 | grep requests
python311-urllib3 2.0.7-150400.7.21.1 rpm
urllib3 1.25.11 python
urllib3 2.0.7 python

Test with Grype
$ grype --distro sles:15.6 suse15.6_requests:v1 | grep requests

urllib3 1.25.11 2.6.3 python GHSA-38jv-5279-wg99 High < 0.1% (7th) < 0.1
urllib3 2.0.7 2.6.3 python GHSA-38jv-5279-wg99 High < 0.1% (7th) < 0.1

Environment:

Output of grype version: 0.108.0
OS (e.g: cat /etc/os-release or similar):
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions