Vulnerability Report: GO-2024-2870
- CVE-2024-35192, GHSA-xcq4-m2r3-cmrj
- Affects: github.com/aquasecurity/trivy
- Published: May 22, 2024
A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.
For detailed information about this vulnerability, visit https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj.
Affected Packages
-
PathVersionsSymbols
-
before v0.51.2all symbols
-
before v0.51.2
-
before v0.51.2
Aliases
References
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj
- https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87
- https://vuln.go.dev/ID/GO-2024-2870.json
Credits
- @lyoung-confluent