Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan #13291

New issue
New issue
Closed
#13299
Closed
Critical CVE-2024-32002 and CVE-2024-3817 in Trivy Scan#13291
#13299
Assignees
coadler
Labels
securityArea: security
@alexander-dammeier

Description

@alexander-dammeier
alexander-dammeier
opened on May 16, 2024

Hello!

We test coder for a high security environment but we are not allowed to use your images as they contain critical CVEs (see trivy scans below). Unfortunately this CVEs are also in your latest images of the stable (2.10.2) and mainline (2.11.0) release trains.

(scans are filtered by High and critical CVEs)

ghcr.io/coder/coder:v2.10.2 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘


ghcr.io/coder/coder:v2.11.0 (alpine 3.19.1)
===========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ git     │ CVE-2024-32002 │ CRITICAL │ fixed  │ 2.43.0-r0         │ 2.43.4-r0     │ git: Recursive clones RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32002 │
│         ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32004 │ HIGH     │        │                   │               │ git: RCE while cloning local repos         │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32004 │
│         ├────────────────┤          │        │                   │               ├────────────────────────────────────────────┤
│         │ CVE-2024-32465 │          │        │                   │               │ git: additional local RCE                  │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-32465 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/local/bin/terraform (gobinary)
==================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cloudflare/circl    │ GHSA-9763-4f94-gfch │ HIGH     │ fixed  │ v1.3.3            │ 1.3.7         │ CIRCL's Kyber: timing side-channel (kyberslash2)             │
│                                │                     │          │        │                   │               │ https://github.com/advisories/GHSA-9763-4f94-gfch            │
├────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817       │ CRITICAL │        │ v1.7.3            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                     │          │        │                   │               │ injection ...                                                │
│                                │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
└────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

Labels

securityArea: security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions