search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.28k stars 211 forks source link

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218

Open baksetercx opened 3 months ago

baksetercx commented 3 months ago

What steps did you take and what happened:

1. docker pull ghcr.io/aquasecurity/trivy-operator:0.22.0

2. trivy image ghcr.io/aquasecurity/trivy-operator:0.22.0 --severity CRITICAL

Produces:

2024-08-08T16:34:31.593+0200    INFO    Vulnerability scanning is enabled
2024-08-08T16:34:31.593+0200    INFO    Secret scanning is enabled
2024-08-08T16:34:31.593+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-08T16:34:31.593+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-08-08T16:34:31.683+0200    INFO    Detected OS: alpine
2024-08-08T16:34:31.683+0200    INFO    This OS version is not on the EOL list: alpine 3.19
2024-08-08T16:34:31.683+0200    INFO    Detecting Alpine vulnerabilities...
2024-08-08T16:34:31.684+0200    INFO    Number of language-specific files: 1
2024-08-08T16:34:31.684+0200    INFO    Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/trivy-operator:0.22.0 (alpine 3.19.1)
==========================================================
Total: 0 (CRITICAL: 0)

usr/local/bin/trivy-operator (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │  Installed Version   │          Fixed Version          │                   Title                    │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed  │ v26.1.3+incompatible │ 23.0.14, 26.1.4, 27.1.0, 25.0.6 │ moby: Authz zero length regression         │
│                          │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

What did you expect to happen:

No critical vulnerabilities.

Anything else you would like to add:

The same vulnerability is also reported by Trivy Operator running in Kubernetes, not just locally using the Trivy CLI.

Environment:

Hacks4Snacks commented 3 months ago

PR to uplift the docker library (and grpc) - I'm surprised Dependabot didn't raise a PR.

github-actions[bot] commented 1 month ago

This issue is stale because it has been labeled with inactivity.

baksetercx commented 1 month ago

Any update on this?