search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.17k stars 529 forks source link

CVE-2024-3154 found with latest version #1834

Open nvuillam opened 2 months ago

nvuillam commented 2 months ago

What happened:

CVE found by trivy

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2024-3154 │ HIGH     │ fixed  │ v1.1.12           │ 1.2.0-rc.1    │ cri-o: Arbitrary command injection via pod annotation │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3154             │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

What you expected to happen:

No CVE found :)

How to reproduce it (as minimally and precisely as possible):

See MegaLinter build job: https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336363970?pr=3518

Dockerfile uses the following: RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Anything else we need to know?:

Environment:

kzantow commented 2 months ago

Note: Grype also finds this CVE :) We'll definitely get this updated once the new version is released.

nvuillam commented 2 months ago

@kzantow many thanks for your reactivity :)