Closed MallocArray closed 6 days ago
requirements.txt has azure-identity==1.14.0 which now has a vulnerability associated with it. https://avd.aquasec.com/nvd/2024/cve-2024-35255/
azure-identity==1.14.0
Fixed in 1.16.1
azure-identity
ansible [core 2.16.7] config file = /runner/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.11/site-packages/ansible ansible collection location = /runner/collections executable location = /usr/local/bin/ansible python version = 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3.11) jinja version = 3.1.4 libyaml = True
2.4.0
Install python modules from requirements.txt Run a Trivy scan again EE with these modules installed
No open vulnerability
Observe CVE-2024-35255 being reported https://avd.aquasec.com/nvd/2024/cve-2024-35255/ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
Dependabot already has a PR started https://github.com/ansible-collections/azure/pull/1596
SUMMARY
requirements.txt has
azure-identity==1.14.0
which now has a vulnerability associated with it. https://avd.aquasec.com/nvd/2024/cve-2024-35255/Fixed in 1.16.1
ISSUE TYPE
COMPONENT NAME
azure-identity
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
Install python modules from requirements.txt Run a Trivy scan again EE with these modules installed
EXPECTED RESULTS
No open vulnerability
ACTUAL RESULTS
Observe CVE-2024-35255 being reported https://avd.aquasec.com/nvd/2024/cve-2024-35255/ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255