Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello <@UF63BUA3A>, I would like to request an update to lib expat from 2.4.7 to 2.4.9 <https://nvd.nist.gov/vuln/detail/CVE-2022-43680> please let me know if I need to file an issue on github.

Hello <@U01TWTAU6HW>, thanks for the heads up, it seems we were using an incorrect name for the library CPE and this got missed.
There's another CVE, which is <https://nvd.nist.gov/vuln/detail/CVE-2022-40674>.
I will open a PR to update the manifest so that the automatic scanner will open issues on its own.

Looking at the code, the first one you linked I'm a bit more confident that's not being hit by osquery, the second one, doesn't seem too but I'm less confident (I just had a quick look).
That been said, expat is only used for the `d-bus` library on Linux, and the only thing we do with `d-bus` is use it to communicate with the system to get systemd units and similar, so it seems hard to exploit from the start, and even harder without admin privileges.

I should clarify that with "hit by osquery" I meant that there's likely no path in osquery where the affected function is used. There's still another step which is, the issue can actually happen with the usage that dbus does.

Thanks <@UF63BUA3A>, its our internal tools that are flagging the issue even if not hit by osquery it would be great to just not have any high \ red flags, thanks again!