Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2024-6104 - github.com/hashicorp/go-retryablehttp #13335

Closed
1 task
rgoltz opened this issue Jun 26, 2024 · 2 comments
Closed
1 task

Fix CVE-2024-6104 - github.com/hashicorp/go-retryablehttp #13335

rgoltz opened this issue Jun 26, 2024 · 2 comments

Comments

@rgoltz
Copy link

rgoltz commented Jun 26, 2024

Is your feature request related to a problem? Please describe.
The current grafana loki docker image seems to be affected by go-retryablehttp can leak basic auth credentials to log files Vulnerability. It's tested with Loki version main-4eb45cc branch main revision 4eb45cc

Describe the solution you'd like

  • Upgrade go-retryablehttp to v0.7.7 or above

Details from Image-Scan
Vulnerability ID https://nvd.nist.gov/vuln/detail/CVE-2024-6104
GitHub Advisory GHSA-v6v8-xj6m-xwqh
CWE https://cwe.mitre.org/data/definitions/532.html
Severity Medium
Fix available Yes
Installed version v0.7.4
Fix available v0.7.7
Package Manager GOBINARY
File paths usr/bin/loki
@rgoltz
Copy link
Author

rgoltz commented Aug 11, 2024

Thanks, @vlad-diachenko - It seems that PR #13835 updated the go library of hashicorp/go-retryablehttp to the fixed version. I've re-tested and pulled the main-tag: version 2.9.10, branch HEAD, revision 7664eda. I can not see any findings for this image-tag (main-tag from docker-hub - updated at Aug 9, 2024 at 8:33 pm) in my vulnerability image scanner.

Great! Thanks a lot 🥇. If somebody from the team can confirm, myself (or you) can close this issue as successfully resolved afterwards, CC'd @DylanGuedes

@vlad-diachenko
Copy link
Contributor

Hey @rgoltz
I believe that we do not have this CVE anymore.
So, I believe we can close the issue.

Trivy results for the latest image 

trivy image docker.io/grafana/loki:main-6284ed5
2024-08-21T07:04:03+03:00	INFO	[db] Need to update DB
2024-08-21T07:04:03+03:00	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
51.71 MiB / 51.71 MiB [---------------------------------------------------------------------------------------------] 100.00% 8.62 MiB p/s 6.2s
2024-08-21T07:04:12+03:00	INFO	[vuln] Vulnerability scanning is enabled
2024-08-21T07:04:12+03:00	INFO	[secret] Secret scanning is enabled
2024-08-21T07:04:12+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-21T07:04:12+03:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-21T07:04:12+03:00	INFO	Detected OS	family="debian" version="12.6"
2024-08-21T07:04:12+03:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=4
2024-08-21T07:04:12+03:00	INFO	Number of language-specific files	num=1
2024-08-21T07:04:12+03:00	INFO	[gobinary] Detecting vulnerabilities...

docker.io/grafana/loki:main-6284ed5 (debian 12.6)

Total: 7 (UNKNOWN: 0, LOW: 7, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬──────────────────┬──────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │  Vulnerability   │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼──────────────────┼──────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2010-4756    │ LOW      │ affected │ 2.36-9+deb12u7    │               │ glibc: glob implementation can cause excessive CPU and      │
│         │                  │          │          │                   │               │ memory consumption due to...                                │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2010-4756                   │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2018-20796   │          │          │                   │               │ glibc: uncontrolled recursion in function                   │
│         │                  │          │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20796                  │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010022 │          │          │                   │               │ glibc: stack guard protection bypass                        │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010022                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010023 │          │          │                   │               │ glibc: running ldd on malicious ELF leads to code execution │
│         │                  │          │          │                   │               │ because of...                                               │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010023                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010024 │          │          │                   │               │ glibc: ASLR bypass using cache of thread stack and heap     │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010024                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010025 │          │          │                   │               │ glibc: information disclosure of heap addresses of          │
│         │                  │          │          │                   │               │ pthread_created thread                                      │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010025                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-9192    │          │          │                   │               │ glibc: uncontrolled recursion in function                   │
│         │                  │          │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-9192                   │
└─────────┴──────────────────┴──────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Huge thanks @rgoltz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgoltz @vlad-diachenko