Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-29810: The Hashicorp go-getter library #5486

Closed
darylmcnutt opened this issue Jun 16, 2022 · 1 comment · Fixed by #5492
Closed

CVE-2022-29810: The Hashicorp go-getter library #5486

darylmcnutt opened this issue Jun 16, 2022 · 1 comment · Fixed by #5492
Labels
bug Something isn't working community Community contribution

Comments

@darylmcnutt
Copy link

darylmcnutt commented Jun 16, 2022
edited
Loading

While using the checkmarx\kics image, our trivy scans are detecting CVE-2022-29810 in the latest version of KICS (v1.5.10).

This CVE is related to hashicorp go-getter:
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

Submitting an issue for awareness and further investigation into KICS and potentially a patch.
@darylmcnutt darylmcnutt added bug Something isn't working community Community contribution labels Jun 16, 2022
@rafaela-soares
Copy link
Contributor

rafaela-soares commented Jun 20, 2022
edited
Loading

Hello, @darylmcnutt!

Thank you so much for also noticing this one and reporting it!

We are already working on that in PR #5292.

@rafaela-soares rafaela-soares mentioned this issue Jun 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update(dockerfile): fix CVE-2022-1586 and CVE-2022-29810 Checkmarx/kics
2 participants
@rafaela-soares @darylmcnutt