consul-template icon indicating copy to clipboard operation
consul-template copied to clipboard
verified publisher icon hashicorp

Multiple CVEs reported by Trivy scan tool for 0.41.0

Open Kisan-hpe opened this issue 8 months ago • 2 comments

Hi @nickwales The listed CVEs for v0.41.0 includes HIGH, Looks like go version needs to be bumped

Vulnerabilities Summary

Total: 4
Severity: UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0

Library Vulnerability Severity Status Installed Version Fixed Version Title
github.com/hashicorp/consul-template CVE-2022-38149 HIGH fixed v0.0.0-20250605131708-e460accf864d+dirty 0.27.3, 0.28.3, 0.29.2 Consul Template may expose Vault secrets when processing invalid input
stdlib CVE-2025-22874 HIGH 1.24.3 1.23.10, 1.24.4 crypto/x509: Usage of ExtKeyUsageAny disables policy validation
stdlib CVE-2025-0913 MEDIUM Inconsistent handling of `O_CREATE
stdlib CVE-2025-4673 MEDIUM Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin requests

Kisan-hpe avatar May 06 '25 17:05 Kisan-hpe

Hi @nickwales Do we have any updates to fix these?

Kisan-hpe avatar Jun 06 '25 13:06 Kisan-hpe

Hi Do we have any updates to fix these CVEs?

Kisan-hpe avatar Jun 16 '25 11:06 Kisan-hpe

v0.0.0-20250605131708-e460accf864d+dirty

by go version -m <binary>

        path    github.com/hashicorp/consul-template
        mod     github.com/hashicorp/consul-template    v0.0.0-20250605131708-e460accf864d+dirty
  1. tags were not fetched during CI
  2. dirty -> dist folder is not git ignored (and CI copied LICENSE file into it)

mod scm info is added in go 1.24 (go 1.23.x or earlier, it's (devel) ) Hashicorp team may need to adjust CI workflow for this change.

yhlee-tw avatar Jun 16 '25 20:06 yhlee-tw

Hey @Kisan-hpe these are fixed in main. I'll work on the next patch release to get this out.

sreeram77 avatar Jul 09 '25 12:07 sreeram77

Hi @sreeram77, do you have an estimate on when the new version will be released?

Kisan-hpe avatar Jul 10 '25 05:07 Kisan-hpe

Hi @sreeram77 Any updates on when fix version will be released?

Kisan-hpe avatar Jul 21 '25 12:07 Kisan-hpe

@sreeram77 fyi v0.41.1 still has dirty mod info.

mod	github.com/hashicorp/consul-template	v0.0.0-20250724053005-80a4e25999b2+dirty

see also https://github.com/hashicorp/consul-template/issues/2056#issuecomment-2977964157

yhlee-tw avatar Jul 29 '25 22:07 yhlee-tw

Hi @sreeram77 We are still facing the issue for couple of cves present in 0.41.1. Do we have updates to fix these?

Kisan-hpe avatar Aug 25 '25 06:08 Kisan-hpe

Hi @sreeram77 I raised this in June regarding multiple CVEs in the consul-template latest image. We’re blocked as the latest version still has these CVEs.

Is there a plan for a new release soon?

Kisan-hpe avatar Sep 01 '25 09:09 Kisan-hpe

Hey @Kisan-hpe , v0.41.1 was release on 24th July with upgrade to go 1.24.4 which addresses the above issues. If you have discovered any new issues, please share and we'll take a look at it.

sreeram77 avatar Sep 01 '25 14:09 sreeram77

Hi @sreeram77 We still have active CVEs as below.

Library Vulnerability Severity Status Installed Version Fixed Version Title
github.com/hashicorp/consul-template CVE-2022-38149 HIGH fixed v0.0.0-20250724053005-80a4e25999b2+dirty 0.27.3, 0.28.3, 0.29.2 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input
stdlib CVE-2025-47907 HIGH fixed 1.24.4 1.23.12, 1.24.6 database/sql: Postgres Scan Race Condition

Kisan-hpe avatar Sep 01 '25 14:09 Kisan-hpe

@Kisan-hpe please raise a new issue for these. Also, the first issue in this seems to be a solved issue. The fix version is mentioned as 0.27.3, 0.28.3, 0.29.2.

sreeram77 avatar Sep 01 '25 14:09 sreeram77