Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability reported by trivy in fleetdm/fleet:v4.62.0 #25748

Open
lucasmrod opened this issue Jan 24, 2025 · 0 comments
Open

Critical vulnerability reported by trivy in fleetdm/fleet:v4.62.0 #25748

lucasmrod opened this issue Jan 24, 2025 · 0 comments
Assignees
@lucasmrod
Labels
bug Something isn't working as documented #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.

Comments

@lucasmrod
Copy link
Member

Output for the trivy command that scans fleetdm/fleet:v4.62.0 (found by a prospect):

trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.62.0
[...]
fleetdm/fleet:v4.62.0 (alpine 3.21.0)

Total: 0 (CRITICAL: 0)

usr/bin/fleetctl (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                    Title                     │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ github.com/go-git/go-git/v5 │ CVE-2025-21613 │ CRITICAL │ fixed  │ v5.11.0           │ 5.13.0        │ go-git: argument injection via the URL field │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-21613   │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘

The vulnerability is on the fleetctl binary. Do we really need the fleetctl binary on the fleetdm/fleet image?

PS: I'll create a separate issue to perform trivy scanning on fleetdm/fleet images.
@lucasmrod lucasmrod added #g-orchestration Orchestration product group :incoming New issue in triage process. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. bug Something isn't working as documented labels Jan 24, 2025
@lucasmrod lucasmrod changed the title Critical vulnerability reported by trivy in fleetdm/fleet:4.62.0 Critical vulnerability reported by trivy in fleetdm/fleet:v4.62.0 Jan 24, 2025
@lucasmrod lucasmrod mentioned this issue Jan 24, 2025
Open
2 tasks
@lucasmrod lucasmrod self-assigned this Jan 24, 2025
@lukeheath lukeheath added the ~released bug This bug was found in a stable release. label Jan 24, 2025
@sharon-fdm sharon-fdm removed the :incoming New issue in triage process. label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucasmrod lucasmrod

Labels
bug Something isn't working as documented #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lucasmrod @lukeheath @sharon-fdm