search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.77k stars 501 forks source link

Critical vulnerabilities in github.com/moby/buildkit v0.8.3 (CVE-2024-23652, CVE-2024-23653) #1678

Open elchenberg opened 5 months ago

elchenberg commented 5 months ago

Description

The github.com/moby/buildkit package v0.8.3 has two CRITICAL vulnerabilities (CVE-2024-23652, CVE-2024-23653) and should be updated to v0.12.5.

What I Did

trivy filesystem --scanners vuln --severity CRITICAL .
# or
make docker-build
trivy image --scanners vuln --severity CRITICAL "docker-terrascan-local.artifactory.eng.tenable.com/terrascan:$(cat dockerhub-image-label.txt)"

Output:


2024-05-27T13:13:21+02:00   INFO    Vulnerability scanning is enabled
2024-05-27T13:13:21+02:00   INFO    Detected OS family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00   INFO    [alpine] Detecting vulnerabilities...   os_version="3.16" repository="3.16" pkg_num=32
2024-05-27T13:13:21+02:00   INFO    Number of language-specific files   num=1
2024-05-27T13:13:21+02:00   INFO    [gobinary] Detecting vulnerabilities...
2024-05-27T13:13:21+02:00   WARN    This OS version is no longer supported by the distribution  family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00   WARN    The vulnerability detection may be insufficient because security updates are not provided

docker-terrascan-local.artifactory.eng.tenable.com/terrascan:4422eb52 (alpine 3.16.9)

Total: 0 (CRITICAL: 0)

go/bin/terrascan (gobinary)

Total: 4 (CRITICAL: 4)

┌────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed    │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │          │                   │               │ injection ...                                                │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │          │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │          │                   │               │ cleaner                                                      │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │          │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │          │                   │               │ not validate entitlements check                              │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
├────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/src-d/go-git.v4       │ CVE-2023-49569 │          │ affected │ v4.13.1           │               │ go-git: Maliciously crafted Git server replies can lead to   │
│                                │                │          │          │                   │               │ path traversal and...                                        │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-49569                   │
└────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
``
elchenberg commented 5 months ago

I missed that there is already a pull request open (and waiting for review): #1668

nmoretenable commented 2 months ago

Currently working on this issue, will merge the PR soon

nmoretenable commented 2 months ago

These are resolved in latest version of terrascan v1.19.9. Please check