Skip to content

Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan #13291

New issue
New issue
Closed
#13299
Closed
Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan#13291
#13299
Assignees
coadler
Labels
securityArea: security
@alexander-dammeier

Description

@alexander-dammeier
alexander-dammeier
opened on May 16, 2024

Hello!

We test coder for a high security environment but we are not allowed to use your images as they contain critical CVEs (see trivy scans below). Unfortunately this CVEs are also in your latest images of the stable (2.10.2) and mainline (2.11.0) release trains.

(scans are filtered by High and critical CVEs)

ghcr.io/coder/coder:v2.10.2 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘


ghcr.io/coder/coder:v2.11.0 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

Labels

securityArea: security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy