runner icon indicating copy to clipboard operation
runner copied to clipboard
verified publisher icon actions

Latest image v2.322.0 has vulnerability CVE-2024-45337

Open JohnnyChengOura opened this issue 10 months ago • 2 comments

Hi,

I think since the latest release CVE-2024-45337 got promoted to a CRITICAL vulnerability risk. I've tried updating the docker packages in the image but still unable to get this patched.

We are using WIZ as our vulnerability scanner.

Library vulnerabilities:
    Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/local/lib/docker/cli-plugins/docker-buildx
        Failed policy: Default vulnerabilities policy
        CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
            Fixed version: 0.31.0
    Name: golang.org/x/net, Version: 0.29.0, Path: /usr/local/lib/docker/cli-plugins/docker-buildx
        CVE-2024-45338, Severity: HIGH, Source: https://github.com/advisories/GHSA-w32m-9786-jp63
            Fixed version: 0.33.0

JohnnyChengOura avatar Feb 15 '25 16:02 JohnnyChengOura

Following up I have the same issue

juansoliswgu avatar Mar 07 '25 16:03 juansoliswgu

Could this have been fixed now with…?

  • https://github.com/actions/runner/pull/3750
  • https://github.com/actions/runner/releases/tag/v2.323.0

MPV avatar Mar 22 '25 07:03 MPV

@MPV still appears in my veracode scans with latest release, please fix

juansoliswgu avatar Apr 23 '25 19:04 juansoliswgu