Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218

baksetercx · 2024-08-08T14:40:52Z

What steps did you take and what happened:

1. docker pull ghcr.io/aquasecurity/trivy-operator:0.22.0

2. trivy image ghcr.io/aquasecurity/trivy-operator:0.22.0 --severity CRITICAL

Produces:

2024-08-08T16:34:31.593+0200	INFO	Vulnerability scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	Secret scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-08T16:34:31.593+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-08-08T16:34:31.683+0200	INFO	Detected OS: alpine
2024-08-08T16:34:31.683+0200	INFO	This OS version is not on the EOL list: alpine 3.19
2024-08-08T16:34:31.683+0200	INFO	Detecting Alpine vulnerabilities...
2024-08-08T16:34:31.684+0200	INFO	Number of language-specific files: 1
2024-08-08T16:34:31.684+0200	INFO	Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/trivy-operator:0.22.0 (alpine 3.19.1)
==========================================================
Total: 0 (CRITICAL: 0)


usr/local/bin/trivy-operator (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │  Installed Version   │          Fixed Version          │                   Title                    │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed  │ v26.1.3+incompatible │ 23.0.14, 26.1.4, 27.1.0, 25.0.6 │ moby: Authz zero length regression         │
│                          │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

What did you expect to happen:

No critical vulnerabilities.

Anything else you would like to add:

The same vulnerability is also reported by Trivy Operator running in Kubernetes, not just locally using the Trivy CLI.

Environment:

Trivy-Operator version (use trivy-operator version): v0.22.0
Kubernetes version (use kubectl version): v1.28.9
OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Debian testing

The text was updated successfully, but these errors were encountered:

Hacks4Snacks · 2024-08-08T15:27:39Z

PR to uplift the docker library (and grpc) - I'm surprised Dependabot didn't raise a PR.

baksetercx added the kind/bug Categorizes issue or PR as related to a bug. label Aug 8, 2024

Hacks4Snacks linked a pull request Aug 8, 2024 that will close this issue

fix: Patch version uplift for Docker + GRPC #2219

Open

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218

baksetercx commented Aug 8, 2024

Hacks4Snacks commented Aug 8, 2024

Critical vulnerability in trivy-operator:0.22.0 image (CVE-2024-41110) #2218

Critical vulnerability in trivy-operator:0.22.0 image (CVE-2024-41110) #2218

Comments

baksetercx commented Aug 8, 2024

Hacks4Snacks commented Aug 8, 2024

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218

Critical vulnerability in `trivy-operator:0.22.0` image (CVE-2024-41110) #2218