Trivy v0.69.3 google.golang.org/grpc #10445
Closed
Nico-VanHaaster
started this conversation in
Bugs
Replies: 1 comment
-
|
Hi @Nico-VanHaaster ! We have already updated this dependency, and the fix will be included in the upcoming v0.70 release. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
We constantly scan Trivy for vulnerabilities (and we have it pinned to v0.69.3), where Trivy itself is reporting a critical vulnerability with google.golang.org/grpc in its own builds.
This blocking our DB Updates unless we disable trivy scanning on its self.
Desired Behavior
Actual Behavior
Trivy detects a CRITICAL vulnerability with google.golang.org/grpc which has upstream fix
Reproduction Steps
Target
None
Scanner
Vulnerability
Output Format
None
Mode
None
Debug Output
usr/local/bin/trivy (gobinary) ============================== Total: 1 (CRITICAL: 1) ┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤ │ google.golang.org/grpc │ CVE-2026-33186 │ CRITICAL │ fixed │ v1.78.0 │ 1.79.3 │ gRPC-Go has an authorization bypass via missing leading │ │ │ │ │ │ │ │ slash in :path │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33186 │ └────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘Operating System
linux-x64
Version
Checklist
trivy clean --allBeta Was this translation helpful? Give feedback.
All reactions