Critical vulnerabilities in github.com/moby/buildkit v0.8.3 (CVE-2024-23652, CVE-2024-23653)
elchenberg opened this issue · 3 comments
elchenberg commented
- terrascan version: 4422eb5 / v1.19.1
Description
The github.com/moby/buildkit package v0.8.3 has two CRITICAL vulnerabilities (CVE-2024-23652, CVE-2024-23653) and should be updated to v0.12.5.
What I Did
trivy filesystem --scanners vuln --severity CRITICAL .
# or
make docker-build
trivy image --scanners vuln --severity CRITICAL "docker-terrascan-local.artifactory.eng.tenable.com/terrascan:$(cat dockerhub-image-label.txt)"Output:
2024-05-27T13:13:21+02:00 INFO Vulnerability scanning is enabled
2024-05-27T13:13:21+02:00 INFO Detected OS family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00 INFO [alpine] Detecting vulnerabilities... os_version="3.16" repository="3.16" pkg_num=32
2024-05-27T13:13:21+02:00 INFO Number of language-specific files num=1
2024-05-27T13:13:21+02:00 INFO [gobinary] Detecting vulnerabilities...
2024-05-27T13:13:21+02:00 WARN This OS version is no longer supported by the distribution family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00 WARN The vulnerability detection may be insufficient because security updates are not provided
docker-terrascan-local.artifactory.eng.tenable.com/terrascan:4422eb52 (alpine 3.16.9)
Total: 0 (CRITICAL: 0)
go/bin/terrascan (gobinary)
Total: 4 (CRITICAL: 4)
┌────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ fixed │ v1.7.0 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│ │ │ │ │ │ │ injection ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │
├────────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit │ CVE-2024-23652 │ │ │ v0.8.3 │ 0.12.5 │ moby/buildkit: possible host system access from mount stub │
│ │ │ │ │ │ │ cleaner │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23652 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-23653 │ │ │ │ │ moby/buildkit: Buildkit's interactive containers API does │
│ │ │ │ │ │ │ not validate entitlements check │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23653 │
├────────────────────────────────┼────────────────┤ ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/src-d/go-git.v4 │ CVE-2023-49569 │ │ affected │ v4.13.1 │ │ go-git: Maliciously crafted Git server replies can lead to │
│ │ │ │ │ │ │ path traversal and... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49569 │
└────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
``
elchenberg commented
I missed that there is already a pull request open (and waiting for review): #1668
nmoretenable commented
Currently working on this issue, will merge the PR soon
nmoretenable commented
These are resolved in latest version of terrascan v1.19.9. Please check