Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability in github.com/hashicorp/go-getter (CVE-2024-3817) #1677

Open
elchenberg opened this issue May 27, 2024 · 2 comments
Open

Critical vulnerability in github.com/hashicorp/go-getter (CVE-2024-3817) #1677

elchenberg opened this issue May 27, 2024 · 2 comments

Comments

@elchenberg
Copy link

  • terrascan version: 4422eb5 / v1.19.1

Description

The github.com/hashicorp/go-getter package v1.7.0 has a CRITICAL vulnerability (CVE-2024-3817) and should be updated to v1.7.4.

What I Did

trivy filesystem --scanners vuln --severity CRITICAL .
# or
make docker-build
trivy image --scanners vuln --severity CRITICAL "docker-terrascan-local.artifactory.eng.tenable.com/terrascan:$(cat dockerhub-image-label.txt)"

Output:

2024-05-27T13:13:21+02:00	INFO	Vulnerability scanning is enabled
2024-05-27T13:13:21+02:00	INFO	Detected OS	family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.16" repository="3.16" pkg_num=32
2024-05-27T13:13:21+02:00	INFO	Number of language-specific files	num=1
2024-05-27T13:13:21+02:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-27T13:13:21+02:00	WARN	This OS version is no longer supported by the distribution	family="alpine" version="3.16.9"
2024-05-27T13:13:21+02:00	WARN	The vulnerability detection may be insufficient because security updates are not provided

docker-terrascan-local.artifactory.eng.tenable.com/terrascan:4422eb52 (alpine 3.16.9)

Total: 0 (CRITICAL: 0)


go/bin/terrascan (gobinary)

Total: 4 (CRITICAL: 4)

┌────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed    │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │          │                   │               │ injection ...                                                │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │          │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │          │                   │               │ cleaner                                                      │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │          │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │          │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │          │                   │               │ not validate entitlements check                              │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
├────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gopkg.in/src-d/go-git.v4       │ CVE-2023-49569 │          │ affected │ v4.13.1           │               │ go-git: Maliciously crafted Git server replies can lead to   │
│                                │                │          │          │                   │               │ path traversal and...                                        │
│                                │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-49569                   │
└────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
``
@nmoretenable
Copy link
Contributor

currently working on this issue to resolve the vulnerability, will merge PR soon.

@nmoretenable
Copy link
Contributor

These are resolved in latest version of terrascan v1.19.9. Please check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elchenberg @nmoretenable