Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerabilities in github.com/moby/buildkit v0.8.3 (CVE-2024-23652, CVE-2024-23653) #1678

Open
elchenberg opened this issue May 27, 2024 · 3 comments
Open

Critical vulnerabilities in github.com/moby/buildkit v0.8.3 (CVE-2024-23652, CVE-2024-23653) #1678

elchenberg opened this issue May 27, 2024 · 3 comments
Assignees
@nmoretenable

Comments

@elchenberg
Copy link

  • terrascan version: 4422eb5 / v1.19.1

Description

The github.com/moby/buildkit package v0.8.3 has two CRITICAL vulnerabilities (CVE-2024-23652, CVE-2024-23653) and should be updated to v0.12.5.

What I Did

trivy filesystem --scanners vuln --severity CRITICAL .
# or
make docker-build
trivy image --scanners vuln --severity CRITICAL "docker-terrascan-local.artifactory.eng.tenable.com/terrascan:$(cat dockerhub-image-label.txt)"

Output:

2024-05-27T13:13:21+02:00	INFO	Vulnerability scanning is enabled
2024-05-27T13:13:21+02:00	INFO	Detected OS	family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.16" repository="3.16" pkg_num=32
2024-05-27T13:13:21+02:00	INFO	Number of language-specific files	num=1
2024-05-27T13:13:21+02:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-27T13:13:21+02:00	WARN	This OS version is no longer supported by the distribution	family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00	WARN	The vulnerability detection may be insufficient because security updates are not provided

docker-terrascan-local.artifactory.eng.tenable.com/terrascan:4422eb52 (alpine 3.16.9)

Total: 0 (CRITICAL: 0)


go/bin/terrascan (gobinary)

Total: 4 (CRITICAL: 4)

┌────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed    │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │          │                   │               │ injection ...                                                │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │          │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │          │                   │               │ cleaner                                                      │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │          │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │          │                   │               │ not validate entitlements check                              │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
├────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/src-d/go-git.v4       │ CVE-2023-49569 │          │ affected │ v4.13.1           │               │ go-git: Maliciously crafted Git server replies can lead to   │
│                                │                │          │          │                   │               │ path traversal and...                                        │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-49569                   │
└────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
``
@elchenberg
Copy link
Author

I missed that there is already a pull request open (and waiting for review): #1668

@nmoretenable
Copy link
Contributor

Currently working on this issue, will merge the PR soon

@nmoretenable
Copy link
Contributor

These are resolved in latest version of terrascan v1.19.9. Please check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nmoretenable nmoretenable

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elchenberg @nmoretenable