grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

CVE-2024-3154 found with latest version

Open nvuillam opened this issue 9 months ago • 2 comments

What happened:

CVE found by trivy

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2024-3154 │ HIGH     │ fixed  │ v1.1.12           │ 1.2.0-rc.1    │ cri-o: Arbitrary command injection via pod annotation │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3154             │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

What you expected to happen:

No CVE found :)

How to reproduce it (as minimally and precisely as possible):

See MegaLinter build job: https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336363970?pr=3518

Dockerfile uses the following: RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Anything else we need to know?:

Environment:

  • Output of grype version: latest
  • OS (e.g: cat /etc/os-release or similar): alpine linux

nvuillam avatar Apr 27 '24 22:04 nvuillam

Note: Grype also finds this CVE :) We'll definitely get this updated once the new version is released.

kzantow avatar Apr 29 '24 14:04 kzantow

@kzantow many thanks for your reactivity :)

nvuillam avatar Apr 29 '24 19:04 nvuillam