trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110)

Open baksetercx opened this issue 1 year ago • 3 comments

What steps did you take and what happened:

1. docker pull ghcr.io/aquasecurity/trivy-operator:0.22.0

2. trivy image ghcr.io/aquasecurity/trivy-operator:0.22.0 --severity CRITICAL

Produces:

2024-08-08T16:34:31.593+0200	INFO	Vulnerability scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	Secret scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-08T16:34:31.593+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-08-08T16:34:31.683+0200	INFO	Detected OS: alpine
2024-08-08T16:34:31.683+0200	INFO	This OS version is not on the EOL list: alpine 3.19
2024-08-08T16:34:31.683+0200	INFO	Detecting Alpine vulnerabilities...
2024-08-08T16:34:31.684+0200	INFO	Number of language-specific files: 1
2024-08-08T16:34:31.684+0200	INFO	Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/trivy-operator:0.22.0 (alpine 3.19.1)
==========================================================
Total: 0 (CRITICAL: 0)


usr/local/bin/trivy-operator (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │  Installed Version   │          Fixed Version          │                   Title                    │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed  │ v26.1.3+incompatible │ 23.0.14, 26.1.4, 27.1.0, 25.0.6 │ moby: Authz zero length regression         │
│                          │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

What did you expect to happen:

No critical vulnerabilities.

Anything else you would like to add:

The same vulnerability is also reported by Trivy Operator running in Kubernetes, not just locally using the Trivy CLI.

Environment:

  • Trivy-Operator version (use trivy-operator version): v0.22.0
  • Kubernetes version (use kubectl version): v1.28.9
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Debian testing

baksetercx avatar Aug 08 '24 14:08 baksetercx

PR to uplift the docker library (and grpc) - I'm surprised Dependabot didn't raise a PR.

Hacks4Snacks avatar Aug 08 '24 15:08 Hacks4Snacks

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Oct 08 '24 00:10 github-actions[bot]

Any update on this?

baksetercx avatar Oct 16 '24 13:10 baksetercx

This is still an issue, my alerting also notified me about the critical CVE

u3813 avatar Nov 25 '24 14:11 u3813

it should be fix in v0.23.0

$ trivy i mirror.gcr.io/aquasec/trivy-operator:0.23.0
2024-11-26T15:58:36+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T15:58:36+06:00	INFO	[secret] Secret scanning is enabled
2024-11-26T15:58:36+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T15:58:36+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T15:58:37+06:00	INFO	Detected OS	family="alpine" version="3.20.3"
2024-11-26T15:58:37+06:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=14
2024-11-26T15:58:37+06:00	INFO	Number of language-specific files	num=1
2024-11-26T15:58:37+06:00	INFO	[gobinary] Detecting vulnerabilities...

mirror.gcr.io/aquasec/trivy-operator:0.23.0 (alpine 3.20.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/trivy-operator (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4 │ CVE-2024-51744 │ LOW      │ fixed  │ v4.5.0            │ 4.5.1         │ golang-jwt: Bad documentation of error handling in │
│                              │                │          │        │                   │               │ ParseWithClaims can lead to potentially...         │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-51744         │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

afdesk avatar Nov 26 '24 09:11 afdesk