Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2024-3817
Vulnerability from cvelistv5
Published
2024-04-17 19:37
Modified
2024-08-01 20:20
Severity ?
EPSS score ?
0.48%
(0.62638)
Summary
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HashiCorp | Shared library |
Version: 1.5.9 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:hashicorp:go-getter:1.5.9:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "go-getter", vendor: "hashicorp", versions: [ { lessThan: "1.7.3", status: "affected", version: "1.5.9", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-3817", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-23T16:09:26.407809Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:31:04.582Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T20:20:01.607Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux", ], product: "Shared library", repo: "https://github.com/hashicorp/go-getter", vendor: "HashiCorp", versions: [ { lessThan: "1.7.3", status: "affected", version: "1.5.9", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.</p><br/>", }, ], value: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", }, ], impacts: [ { capecId: "CAPEC-248", descriptions: [ { lang: "en", value: "CAPEC-248: Command Injection", }, ], }, ], metrics: [ { cvssV3_1: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-88", description: "CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-17T19:37:25.878Z", orgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", shortName: "HashiCorp", }, references: [ { url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], source: { advisory: "HCSEC-2024-09", discovery: "EXTERNAL", }, title: "HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches", }, }, cveMetadata: { assignerOrgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", assignerShortName: "HashiCorp", cveId: "CVE-2024-3817", datePublished: "2024-04-17T19:37:25.878Z", dateReserved: "2024-04-15T14:04:27.869Z", dateUpdated: "2024-08-01T20:20:01.607Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { descriptions: "[{\"lang\": \"en\", \"value\": \"HashiCorp\\u2019s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \\n\\nThis vulnerability does not affect the go-getter/v2 branch and package.\"}, {\"lang\": \"es\", \"value\": \"La librer\\u00eda de HashiCorp es vulnerable a la inyecci\\u00f3n de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2.\"}]", id: "CVE-2024-3817", lastModified: "2024-11-21T09:30:27.713", metrics: "{\"cvssMetricV31\": [{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}", published: "2024-04-17T20:15:08.383", references: "[{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\", \"source\": \"security@hashicorp.com\"}, {\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]", sourceIdentifier: "security@hashicorp.com", vulnStatus: "Awaiting Analysis", weaknesses: "[{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-88\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2024-3817\",\"sourceIdentifier\":\"security@hashicorp.com\",\"published\":\"2024-04-17T20:15:08.383\",\"lastModified\":\"2024-11-21T09:30:27.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \\n\\nThis vulnerability does not affect the go-getter/v2 branch and package.\"},{\"lang\":\"es\",\"value\":\"La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"references\":[{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\",\"source\":\"security@hashicorp.com\"},{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:20:01.607Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-3817\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-23T16:09:26.407809Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hashicorp:go-getter:1.5.9:*:*:*:*:*:*:*\"], \"vendor\": \"hashicorp\", \"product\": \"go-getter\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.5.9\", \"lessThan\": \"1.7.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-23T16:13:11.958Z\"}}], \"cna\": {\"title\": \"HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches\", \"source\": {\"advisory\": \"HCSEC-2024-09\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-248\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-248: Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/hashicorp/go-getter\", \"vendor\": \"HashiCorp\", \"product\": \"Shared library\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.5.9\", \"lessThan\": \"1.7.3\", \"versionType\": \"semver\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HashiCorp\\u2019s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \\n\\nThis vulnerability does not affect the go-getter/v2 branch and package.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>HashiCorp\\u2019s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \\n\\nThis vulnerability does not affect the go-getter/v2 branch and package.</p><br/>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-88\", \"description\": \"CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection)\"}]}], \"providerMetadata\": {\"orgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"shortName\": \"HashiCorp\", \"dateUpdated\": \"2024-04-17T19:37:25.878Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-3817\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:20:01.607Z\", \"dateReserved\": \"2024-04-15T14:04:27.869Z\", \"assignerOrgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"datePublished\": \"2024-04-17T19:37:25.878Z\", \"assignerShortName\": \"HashiCorp\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
gsd-2024-3817
Vulnerability from gsd
Modified
2024-04-16 05:01
Details
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
Aliases
{ gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2024-3817", ], details: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", id: "GSD-2024-3817", modified: "2024-04-16T05:01:59.493981Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "security@hashicorp.com", ID: "CVE-2024-3817", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Shared library", version: { version_data: [ { version_affected: "<", version_name: "1.5.9", version_value: "1.7.3", }, ], }, }, ], }, vendor_name: "HashiCorp", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", }, ], }, impact: { cvss: [ { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-88", lang: "eng", value: "CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection)", }, ], }, ], }, references: { reference_data: [ { name: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", refsource: "MISC", url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], }, source: { advisory: "HCSEC-2024-09", discovery: "EXTERNAL", }, }, "nvd.nist.gov": { cve: { descriptions: [ { lang: "en", value: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", }, { lang: "es", value: "La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2.", }, ], id: "CVE-2024-3817", lastModified: "2024-04-18T13:04:28.900", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "security@hashicorp.com", type: "Secondary", }, ], }, published: "2024-04-17T20:15:08.383", references: [ { source: "security@hashicorp.com", url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], sourceIdentifier: "security@hashicorp.com", vulnStatus: "Awaiting Analysis", weaknesses: [ { description: [ { lang: "en", value: "CWE-88", }, ], source: "security@hashicorp.com", type: "Secondary", }, ], }, }, }, }
opensuse-su-2025:14713-1
Vulnerability from csaf_opensuse
Published
2025-01-29 00:00
Modified
2025-01-29 00:00
Summary
trivy-0.58.2-1.1 on GA media
Notes
Title of the patch
trivy-0.58.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the trivy-0.58.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-14713
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "trivy-0.58.2-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the trivy-0.58.2-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2025-14713", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14713-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2025:14713-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JZAWXH6WKGE2WACLTZWYMHTDCJMU3X6R/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2025:14713-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JZAWXH6WKGE2WACLTZWYMHTDCJMU3X6R/", }, { category: "self", summary: "SUSE CVE CVE-2024-3817 page", url: "https://www.suse.com/security/cve/CVE-2024-3817/", }, { category: "self", summary: "SUSE CVE CVE-2024-45337 page", url: "https://www.suse.com/security/cve/CVE-2024-45337/", }, { category: "self", summary: "SUSE CVE CVE-2024-45338 page", url: "https://www.suse.com/security/cve/CVE-2024-45338/", }, { category: "self", summary: "SUSE CVE CVE-2025-21613 page", url: "https://www.suse.com/security/cve/CVE-2025-21613/", }, ], title: "trivy-0.58.2-1.1 on GA media", tracking: { current_release_date: "2025-01-29T00:00:00Z", generator: { date: "2025-01-29T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2025:14713-1", initial_release_date: "2025-01-29T00:00:00Z", revision_history: [ { date: "2025-01-29T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "trivy-0.58.2-1.1.aarch64", product: { name: "trivy-0.58.2-1.1.aarch64", product_id: "trivy-0.58.2-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-1.1.ppc64le", product: { name: "trivy-0.58.2-1.1.ppc64le", product_id: "trivy-0.58.2-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-1.1.s390x", product: { name: "trivy-0.58.2-1.1.s390x", product_id: "trivy-0.58.2-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-1.1.x86_64", product: { name: "trivy-0.58.2-1.1.x86_64", product_id: "trivy-0.58.2-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", }, product_reference: "trivy-0.58.2-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", }, product_reference: "trivy-0.58.2-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", }, product_reference: "trivy-0.58.2-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", }, product_reference: "trivy-0.58.2-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2024-3817", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-3817", }, ], notes: [ { category: "general", text: "HashiCorp's go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-3817", url: "https://www.suse.com/security/cve/CVE-2024-3817", }, { category: "external", summary: "SUSE Bug 1226999 for CVE-2024-3817", url: "https://bugzilla.suse.com/1226999", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-01-29T00:00:00Z", details: "low", }, ], title: "CVE-2024-3817", }, { cve: "CVE-2024-45337", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-45337", }, ], notes: [ { category: "general", text: "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-45337", url: "https://www.suse.com/security/cve/CVE-2024-45337", }, { category: "external", summary: "SUSE Bug 1234482 for CVE-2024-45337", url: "https://bugzilla.suse.com/1234482", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-01-29T00:00:00Z", details: "important", }, ], title: "CVE-2024-45337", }, { cve: "CVE-2024-45338", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-45338", }, ], notes: [ { category: "general", text: "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-45338", url: "https://www.suse.com/security/cve/CVE-2024-45338", }, { category: "external", summary: "SUSE Bug 1234794 for CVE-2024-45338", url: "https://bugzilla.suse.com/1234794", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-01-29T00:00:00Z", details: "important", }, ], title: "CVE-2024-45338", }, { cve: "CVE-2025-21613", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2025-21613", }, ], notes: [ { category: "general", text: "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2025-21613", url: "https://www.suse.com/security/cve/CVE-2025-21613", }, { category: "external", summary: "SUSE Bug 1235572 for CVE-2025-21613", url: "https://bugzilla.suse.com/1235572", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:trivy-0.58.2-1.1.aarch64", "openSUSE Tumbleweed:trivy-0.58.2-1.1.ppc64le", "openSUSE Tumbleweed:trivy-0.58.2-1.1.s390x", "openSUSE Tumbleweed:trivy-0.58.2-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-01-29T00:00:00Z", details: "important", }, ], title: "CVE-2025-21613", }, ], }
opensuse-su-2025:0056-1
Vulnerability from csaf_opensuse
Published
2025-02-07 11:01
Modified
2025-02-07 11:01
Summary
Security update for trivy
Notes
Title of the patch
Security update for trivy
Description of the patch
This update for trivy fixes the following issues:
Update to version 0.58.2 (
boo#1234512, CVE-2024-45337,
boo#1235265, CVE-2024-45338):
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
* fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
* fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
* fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
* fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
* fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
* fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
* release: v0.58.0 [main] (#7874)
* fix(misconf): wrap AWS EnvVar to iac types (#7407)
* chore(deps): Upgrade trivy-checks (#8018)
* refactor(misconf): Remove unused options (#7896)
* docs: add terminology page to explain Trivy concepts (#7996)
* feat: add `workspaceRelationship` (#7889)
* refactor(sbom): simplify relationship generation (#7985)
* docs: improve databases documentation (#7732)
* refactor: remove support for custom Terraform checks (#7901)
* docs: drop AWS account scanning (#7997)
* fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
* fix(cli): Handle empty ignore files more gracefully (#7962)
* fix(misconf): load full Terraform module (#7925)
* fix(misconf): properly resolve local Terraform cache (#7983)
* refactor(k8s): add v prefix for Go packages (#7839)
* test: replace Go checks with Rego (#7867)
* feat(misconf): log causes of HCL file parsing errors (#7634)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
* chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
* chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
* chore: downgrade the failed block expand message to debug (#7964)
* fix(misconf): do not erase variable type for child modules (#7941)
* feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
* feat(go): construct dependencies in the parser (#7973)
* feat: add cvss v4 score and vector in scan response (#7968)
* docs: add `overview` page for `others` (#7972)
* fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
* feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
* chore(deps): bump the common group with 4 updates (#7949)
* feat(oracle): add `flavors` support (#7858)
* fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
* chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
* fix(k8s): check all results for vulnerabilities (#7946)
* ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
* feat(secret): Add built-in secrets rules for Private Packagist (#7826)
* docs: Fix broken links (#7900)
* docs: fix mistakes/typos (#7942)
* feat: Update registry fallbacks (#7679)
* fix(alpine): add `UID` for removed packages (#7887)
* chore(deps): bump the aws group with 6 updates (#7902)
* chore(deps): bump the common group with 6 updates (#7904)
* fix(debian): infinite loop (#7928)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
* docs: add note about temporary podman socket (#7921)
* docs: combine trivy.dev into trivy docs (#7884)
* test: change branch in spdx schema link to check in integration tests (#7935)
* docs: add Headlamp to the Trivy Ecosystem page (#7916)
* fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
* chore(k8s): enhance k8s scan log (#6997)
* fix(terraform): set null value as fallback for missing variables (#7669)
* fix(misconf): handle null properties in CloudFormation templates (#7813)
* fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
* chore(deps): bump the common group across 1 directory with 20 updates (#7876)
* chore: bump containerd to v2.0.0 (#7875)
* fix: Improve version comparisons when build identifiers are present (#7873)
* feat(k8s): add default commands for unknown platform (#7863)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
* refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
* test: save `containerd` image into archive and use in tests (#7816)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
* chore: bump golangci-lint to v1.61.0 (#7853)
- Update to version 0.57.1:
* release: v0.57.1 [release/v0.57] (#7943)
* feat: Update registry fallbacks [backport: release/v0.57] (#7944)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
* test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
* release: v0.57.0 [main] (#7710)
* chore: lint `errors.Join` (#7845)
* feat(db): append errors (#7843)
* docs(java): add info about supported scopes (#7842)
* docs: add example of creating whitelist of checks (#7821)
* chore(deps): Bump trivy-checks (#7819)
* fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
* fix(k8s): skip resources without misconfigs (#7797)
* fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
* fix(cli): add config name to skip-policy-update alias (#7820)
* fix(helm): properly handle multiple archived dependencies (#7782)
* refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
* fix(k8s)!: support k8s multi container (#7444)
* fix(k8s): support kubernetes v1.31 (#7810)
* docs: add Windows install instructions (#7800)
* ci(helm): auto public Helm chart after PR merged (#7526)
* feat: add end of life date for Ubuntu 24.10 (#7787)
* feat(report): update gitlab template to populate operating_system value (#7735)
* feat(misconf): Show misconfig ID in output (#7762)
* feat(misconf): export unresolvable field of IaC types to Rego (#7765)
* refactor(k8s): scan config files as a folder (#7690)
* fix(license): fix license normalization for Universal Permissive License (#7766)
* fix: enable usestdlibvars linter (#7770)
* fix(misconf): properly expand dynamic blocks (#7612)
* feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
* fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
* refactor(misconf): simplify k8s scanner (#7717)
* feat(parser): ignore white space in pom.xml files (#7747)
* test: use forked images (#7755)
* fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
* fix(misconf): check if property is not nil before conversion (#7578)
* fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
* feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
* test: define constants for test images (#7739)
* docs: add note about disabled DS016 check (#7724)
* feat(misconf): public network support for Azure Storage Account (#7601)
* feat(cli): rename `trivy auth` to `trivy registry` (#7727)
* docs: apt-transport-https is a transitional package (#7678)
* refactor(misconf): introduce generic scanner (#7515)
* fix(cli): `clean --all` deletes only relevant dirs (#7704)
* feat(cli): add `trivy auth` (#7664)
* fix(sbom): add options for DBs in private registries (#7660)
* docs(report): fix reporting doc format (#7671)
* fix(repo): `git clone` output to Stderr (#7561)
* fix(redhat): include arch in PURL qualifiers (#7654)
* fix(report): Fix invalid URI in SARIF report (#7645)
* docs(report): Improve SARIF reporting doc (#7655)
* fix(db): fix javadb downloading error handling (#7642)
* feat(cli): error out when ignore file cannot be found (#7624)
- Update to version 0.56.2:
* release: v0.56.2 [release/v0.56] (#7694)
* fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
* fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
- Update to version 0.56.1:
* release: v0.56.1 [release/v0.56] (#7648)
* fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
* release: v0.56.0 [main] (#7447)
* fix(misconf): not to warn about missing selectors of libraries (#7638)
* feat: support RPM archives (#7628)
* fix(secret): change grafana token regex to find them without unquoted (#7627)
* fix(misconf): Disable deprecated checks by default (#7632)
* chore: add prefixes to log messages (#7625)
* feat(misconf): Support `--skip-*` for all included modules (#7579)
* feat: support multiple DB repositories for vulnerability and Java DB (#7605)
* ci: don't use cache for `setup-go` (#7622)
* test: use loaded image names (#7617)
* feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520)
* feat(secret): enhance secret scanning for python binary files (#7223)
* refactor: fix auth error handling (#7615)
* ci: split `save` and `restore` cache actions (#7614)
* fix(misconf): disable DS016 check for image history analyzer (#7540)
* feat(suse): added SUSE Linux Enterprise Micro support (#7294)
* feat(misconf): add ability to disable checks by ID (#7536)
* fix(misconf): escape all special sequences (#7558)
* test: use a local registry for remote scanning (#7607)
* fix: allow access to '..' in mapfs (#7575)
* fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)
* chore(deps): bump the common group across 1 directory with 20 updates (#7604)
* ci: add `workflow_dispatch` trigger for test workflow. (#7606)
* ci: cache test images for `integration`, `VM` and `module` tests (#7599)
* chore(deps): remove broken replaces for opa and discovery (#7600)
* docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)
* fix(misconf): Fixed scope for China Cloud (#7560)
* perf(misconf): use port ranges instead of enumeration (#7549)
* fix(sbom): export bom-ref when converting a package to a component (#7340)
* refactor(misconf): pass options to Rego scanner as is (#7529)
* fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)
* chore(deps): bump go-ebs-file (#7513)
* fix(misconf): Fix logging typo (#7473)
* feat(misconf): Register checks only when needed (#7435)
* refactor: split `.egg` and `packaging` analyzers (#7514)
* fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497)
* chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)
* chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)
* chore(vex): suppress openssl vulnerabilities (#7500)
* revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)
* docs(db): add a manifest example (#7485)
* feat(license): improve license normalization (#7131)
* docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)
* fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)
* fix(report): change a receiver of MarshalJSON (#7483)
* fix(oracle): Update EOL date for Oracle 7 (#7480)
* chore(deps): bump the aws group with 6 updates (#7468)
* chore(deps): bump the common group across 1 directory with 19 updates (#7436)
* chore(helm): bump up Trivy Helm chart (#7441)
* refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)
* fix(license): stop spliting a long license text (#7336)
* release: v0.55.0 [main] (#7271)
* feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)
* fix(license): add license handling to JUnit template (#7409)
* feat(java): add `test` scope support for `pom.xml` files (#7414)
* chore(deps): Bump trivy-checks and pin OPA (#7427)
* fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)
* feat(sbom): set User-Agent header on requests to Rekor (#7396)
* test: add integration plugin tests (#7299)
* fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)
* fix: logger initialization before flags parsing (#7372)
* fix(aws): handle ECR repositories in different regions (#6217)
* fix(misconf): fix infer type for null value (#7424)
* fix(secret): use `.eyJ` keyword for JWT secret (#7410)
* fix(misconf): do not recreate filesystem map (#7416)
* chore(deps): Bump trivy-checks (#7417)
* fix(misconf): do not register Rego libs in checks registry (#7420)
* fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)
* feat(report): export modified findings in JSON (#7383)
* feat(server): Make Trivy Server Multiplexer Exported (#7389)
* chore: update CODEOWNERS (#7398)
* fix(secret): use only line with secret for long secret lines (#7412)
* chore: fix allow rule of ignoring test files to make it case insensitive (#7415)
* feat(misconf): port and protocol support for EC2 networks (#7146)
* fix(misconf): do not filter Terraform plan JSON by name (#7406)
* feat(misconf): support for ignore by nested attributes (#7205)
* fix(misconf): use module to log when metadata retrieval fails (#7405)
* fix(report): escape `Message` field in `asff.tpl` template (#7401)
* feat(misconf): Add support for using spec from on-disk bundle (#7179)
* docs: add pkg flags to config file page (#7370)
* feat(python): use minimum version for pip packages (#7348)
* fix(misconf): support deprecating for Go checks (#7377)
* fix(misconf): init frameworks before updating them (#7376)
* feat(misconf): ignore duplicate checks (#7317)
* refactor(misconf): use slog (#7295)
* chore(deps): bump trivy-checks (#7350)
* feat(server): add internal `--path-prefix` flag for client/server mode (#7321)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7358)
* fix: safely check if the directory exists (#7353)
* feat(misconf): variable support for Terraform Plan (#7228)
* feat(misconf): scanning support for YAML and JSON (#7311)
* fix(misconf): wrap Azure PortRange in iac types (#7357)
* refactor(misconf): highlight only affected rows (#7310)
* fix(misconf): change default TLS values for the Azure storage account (#7345)
* chore(deps): bump the common group with 9 updates (#7333)
* docs(misconf): Update callsites to use correct naming (#7335)
* docs: update air-gapped docs (#7160)
* refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)
* perf(misconf): optimize work with context (#6968)
* docs: update links to packaging.python.org (#7318)
* docs: update client/server docs for misconf and license scanning (#7277)
* chore(deps): bump the common group across 1 directory with 7 updates (#7305)
* feat(misconf): iterator argument support for dynamic blocks (#7236)
* fix(misconf): do not set default value for default_cache_behavior (#7234)
* feat(misconf): support for policy and bucket grants (#7284)
* fix(misconf): load only submodule if it is specified in source (#7112)
* perf(misconf): use json.Valid to check validity of JSON (#7308)
* refactor(misconf): remove unused universal scanner (#7293)
* perf(misconf): do not convert contents of a YAML file to string (#7292)
* fix(terraform): add aws_region name to presets (#7184)
* docs: add auto-generated config (#7261)
* feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)
* refactor(misconf): remove file filtering from parsers (#7289)
* fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)
* fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)
* fix(plugin): do not call GitHub content API for releases and tags (#7274)
* feat(vm): support the Ext2/Ext3 filesystems (#6983)
* feat(cli)!: delete deprecated SBOM flags (#7266)
* feat(vm): Support direct filesystem (#7058)
- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):
Patchnames
openSUSE-2025-56
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for trivy", title: "Title of the patch", }, { category: "description", text: "This update for trivy fixes the following issues:\n\nUpdate to version 0.58.2 (\n\n boo#1234512, CVE-2024-45337,\n boo#1235265, CVE-2024-45338):\n\n * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)\n * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)\n * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)\n * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)\n * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)\n * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)\n * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)\n * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)\n * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)\n * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)\n * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)\n * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)\n * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)\n * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)\n * release: v0.58.0 [main] (#7874)\n * fix(misconf): wrap AWS EnvVar to iac types (#7407)\n * chore(deps): Upgrade trivy-checks (#8018)\n * refactor(misconf): Remove unused options (#7896)\n * docs: add terminology page to explain Trivy concepts (#7996)\n * feat: add `workspaceRelationship` (#7889)\n * refactor(sbom): simplify relationship generation (#7985)\n * docs: improve databases documentation (#7732)\n * refactor: remove support for custom Terraform checks (#7901)\n * docs: drop AWS account scanning (#7997)\n * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)\n * fix(cli): Handle empty ignore files more gracefully (#7962)\n * fix(misconf): load full Terraform module (#7925)\n * fix(misconf): properly resolve local Terraform cache (#7983)\n * refactor(k8s): add v prefix for Go packages (#7839)\n * test: replace Go checks with Rego (#7867)\n * feat(misconf): log causes of HCL file parsing errors (#7634)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)\n * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)\n * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)\n * chore: downgrade the failed block expand message to debug (#7964)\n * fix(misconf): do not erase variable type for child modules (#7941)\n * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)\n * feat(go): construct dependencies in the parser (#7973)\n * feat: add cvss v4 score and vector in scan response (#7968)\n * docs: add `overview` page for `others` (#7972)\n * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)\n * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)\n * chore(deps): bump the common group with 4 updates (#7949)\n * feat(oracle): add `flavors` support (#7858)\n * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)\n * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)\n * fix(k8s): check all results for vulnerabilities (#7946)\n * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)\n * feat(secret): Add built-in secrets rules for Private Packagist (#7826)\n * docs: Fix broken links (#7900)\n * docs: fix mistakes/typos (#7942)\n * feat: Update registry fallbacks (#7679)\n * fix(alpine): add `UID` for removed packages (#7887)\n * chore(deps): bump the aws group with 6 updates (#7902)\n * chore(deps): bump the common group with 6 updates (#7904)\n * fix(debian): infinite loop (#7928)\n * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)\n * docs: add note about temporary podman socket (#7921)\n * docs: combine trivy.dev into trivy docs (#7884)\n * test: change branch in spdx schema link to check in integration tests (#7935)\n * docs: add Headlamp to the Trivy Ecosystem page (#7916)\n * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)\n * chore(k8s): enhance k8s scan log (#6997)\n * fix(terraform): set null value as fallback for missing variables (#7669)\n * fix(misconf): handle null properties in CloudFormation templates (#7813)\n * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)\n * chore(deps): bump the common group across 1 directory with 20 updates (#7876)\n * chore: bump containerd to v2.0.0 (#7875)\n * fix: Improve version comparisons when build identifiers are present (#7873)\n * feat(k8s): add default commands for unknown platform (#7863)\n * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)\n * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)\n * test: save `containerd` image into archive and use in tests (#7816)\n * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)\n * chore: bump golangci-lint to v1.61.0 (#7853)\n\n- Update to version 0.57.1:\n * release: v0.57.1 [release/v0.57] (#7943)\n * feat: Update registry fallbacks [backport: release/v0.57] (#7944)\n * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)\n * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)\n * release: v0.57.0 [main] (#7710)\n * chore: lint `errors.Join` (#7845)\n * feat(db): append errors (#7843)\n * docs(java): add info about supported scopes (#7842)\n * docs: add example of creating whitelist of checks (#7821)\n * chore(deps): Bump trivy-checks (#7819)\n * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)\n * fix(k8s): skip resources without misconfigs (#7797)\n * fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)\n * fix(cli): add config name to skip-policy-update alias (#7820)\n * fix(helm): properly handle multiple archived dependencies (#7782)\n * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)\n * fix(k8s)!: support k8s multi container (#7444)\n * fix(k8s): support kubernetes v1.31 (#7810)\n * docs: add Windows install instructions (#7800)\n * ci(helm): auto public Helm chart after PR merged (#7526)\n * feat: add end of life date for Ubuntu 24.10 (#7787)\n * feat(report): update gitlab template to populate operating_system value (#7735)\n * feat(misconf): Show misconfig ID in output (#7762)\n * feat(misconf): export unresolvable field of IaC types to Rego (#7765)\n * refactor(k8s): scan config files as a folder (#7690)\n * fix(license): fix license normalization for Universal Permissive License (#7766)\n * fix: enable usestdlibvars linter (#7770)\n * fix(misconf): properly expand dynamic blocks (#7612)\n * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)\n * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)\n * refactor(misconf): simplify k8s scanner (#7717)\n * feat(parser): ignore white space in pom.xml files (#7747)\n * test: use forked images (#7755)\n * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)\n * fix(misconf): check if property is not nil before conversion (#7578)\n * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)\n * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)\n * test: define constants for test images (#7739)\n * docs: add note about disabled DS016 check (#7724)\n * feat(misconf): public network support for Azure Storage Account (#7601)\n * feat(cli): rename `trivy auth` to `trivy registry` (#7727)\n * docs: apt-transport-https is a transitional package (#7678)\n * refactor(misconf): introduce generic scanner (#7515)\n * fix(cli): `clean --all` deletes only relevant dirs (#7704)\n * feat(cli): add `trivy auth` (#7664)\n * fix(sbom): add options for DBs in private registries (#7660)\n * docs(report): fix reporting doc format (#7671)\n * fix(repo): `git clone` output to Stderr (#7561)\n * fix(redhat): include arch in PURL qualifiers (#7654)\n * fix(report): Fix invalid URI in SARIF report (#7645)\n * docs(report): Improve SARIF reporting doc (#7655)\n * fix(db): fix javadb downloading error handling (#7642)\n * feat(cli): error out when ignore file cannot be found (#7624)\n\n- Update to version 0.56.2:\n * release: v0.56.2 [release/v0.56] (#7694)\n * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)\n * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)\n\n- Update to version 0.56.1:\n * release: v0.56.1 [release/v0.56] (#7648)\n * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)\n * release: v0.56.0 [main] (#7447)\n * fix(misconf): not to warn about missing selectors of libraries (#7638)\n * feat: support RPM archives (#7628)\n * fix(secret): change grafana token regex to find them without unquoted (#7627)\n * fix(misconf): Disable deprecated checks by default (#7632)\n * chore: add prefixes to log messages (#7625)\n * feat(misconf): Support `--skip-*` for all included modules (#7579)\n * feat: support multiple DB repositories for vulnerability and Java DB (#7605)\n * ci: don't use cache for `setup-go` (#7622)\n * test: use loaded image names (#7617)\n * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520)\n * feat(secret): enhance secret scanning for python binary files (#7223)\n * refactor: fix auth error handling (#7615)\n * ci: split `save` and `restore` cache actions (#7614)\n * fix(misconf): disable DS016 check for image history analyzer (#7540)\n * feat(suse): added SUSE Linux Enterprise Micro support (#7294)\n * feat(misconf): add ability to disable checks by ID (#7536)\n * fix(misconf): escape all special sequences (#7558)\n * test: use a local registry for remote scanning (#7607)\n * fix: allow access to '..' in mapfs (#7575)\n * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)\n * chore(deps): bump the common group across 1 directory with 20 updates (#7604)\n * ci: add `workflow_dispatch` trigger for test workflow. (#7606)\n * ci: cache test images for `integration`, `VM` and `module` tests (#7599)\n * chore(deps): remove broken replaces for opa and discovery (#7600)\n * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)\n * fix(misconf): Fixed scope for China Cloud (#7560)\n * perf(misconf): use port ranges instead of enumeration (#7549)\n * fix(sbom): export bom-ref when converting a package to a component (#7340)\n * refactor(misconf): pass options to Rego scanner as is (#7529)\n * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)\n * chore(deps): bump go-ebs-file (#7513)\n * fix(misconf): Fix logging typo (#7473)\n * feat(misconf): Register checks only when needed (#7435)\n * refactor: split `.egg` and `packaging` analyzers (#7514)\n * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497)\n * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)\n * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)\n * chore(vex): suppress openssl vulnerabilities (#7500)\n * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)\n * docs(db): add a manifest example (#7485)\n * feat(license): improve license normalization (#7131)\n * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)\n * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)\n * fix(report): change a receiver of MarshalJSON (#7483)\n * fix(oracle): Update EOL date for Oracle 7 (#7480)\n * chore(deps): bump the aws group with 6 updates (#7468)\n * chore(deps): bump the common group across 1 directory with 19 updates (#7436)\n * chore(helm): bump up Trivy Helm chart (#7441)\n * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)\n * fix(license): stop spliting a long license text (#7336)\n * release: v0.55.0 [main] (#7271)\n * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)\n * fix(license): add license handling to JUnit template (#7409)\n * feat(java): add `test` scope support for `pom.xml` files (#7414)\n * chore(deps): Bump trivy-checks and pin OPA (#7427)\n * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)\n * feat(sbom): set User-Agent header on requests to Rekor (#7396)\n * test: add integration plugin tests (#7299)\n * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)\n * fix: logger initialization before flags parsing (#7372)\n * fix(aws): handle ECR repositories in different regions (#6217)\n * fix(misconf): fix infer type for null value (#7424)\n * fix(secret): use `.eyJ` keyword for JWT secret (#7410)\n * fix(misconf): do not recreate filesystem map (#7416)\n * chore(deps): Bump trivy-checks (#7417)\n * fix(misconf): do not register Rego libs in checks registry (#7420)\n * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)\n * feat(report): export modified findings in JSON (#7383)\n * feat(server): Make Trivy Server Multiplexer Exported (#7389)\n * chore: update CODEOWNERS (#7398)\n * fix(secret): use only line with secret for long secret lines (#7412)\n * chore: fix allow rule of ignoring test files to make it case insensitive (#7415)\n * feat(misconf): port and protocol support for EC2 networks (#7146)\n * fix(misconf): do not filter Terraform plan JSON by name (#7406)\n * feat(misconf): support for ignore by nested attributes (#7205)\n * fix(misconf): use module to log when metadata retrieval fails (#7405)\n * fix(report): escape `Message` field in `asff.tpl` template (#7401)\n * feat(misconf): Add support for using spec from on-disk bundle (#7179)\n * docs: add pkg flags to config file page (#7370)\n * feat(python): use minimum version for pip packages (#7348)\n * fix(misconf): support deprecating for Go checks (#7377)\n * fix(misconf): init frameworks before updating them (#7376)\n * feat(misconf): ignore duplicate checks (#7317)\n * refactor(misconf): use slog (#7295)\n * chore(deps): bump trivy-checks (#7350)\n * feat(server): add internal `--path-prefix` flag for client/server mode (#7321)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#7358)\n * fix: safely check if the directory exists (#7353)\n * feat(misconf): variable support for Terraform Plan (#7228)\n * feat(misconf): scanning support for YAML and JSON (#7311)\n * fix(misconf): wrap Azure PortRange in iac types (#7357)\n * refactor(misconf): highlight only affected rows (#7310)\n * fix(misconf): change default TLS values for the Azure storage account (#7345)\n * chore(deps): bump the common group with 9 updates (#7333)\n * docs(misconf): Update callsites to use correct naming (#7335)\n * docs: update air-gapped docs (#7160)\n * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)\n * perf(misconf): optimize work with context (#6968)\n * docs: update links to packaging.python.org (#7318)\n * docs: update client/server docs for misconf and license scanning (#7277)\n * chore(deps): bump the common group across 1 directory with 7 updates (#7305)\n * feat(misconf): iterator argument support for dynamic blocks (#7236)\n * fix(misconf): do not set default value for default_cache_behavior (#7234)\n * feat(misconf): support for policy and bucket grants (#7284)\n * fix(misconf): load only submodule if it is specified in source (#7112)\n * perf(misconf): use json.Valid to check validity of JSON (#7308)\n * refactor(misconf): remove unused universal scanner (#7293)\n * perf(misconf): do not convert contents of a YAML file to string (#7292)\n * fix(terraform): add aws_region name to presets (#7184)\n * docs: add auto-generated config (#7261)\n * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)\n * refactor(misconf): remove file filtering from parsers (#7289)\n * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)\n * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)\n * fix(plugin): do not call GitHub content API for releases and tags (#7274)\n * feat(vm): support the Ext2/Ext3 filesystems (#6983)\n * feat(cli)!: delete deprecated SBOM flags (#7266)\n * feat(vm): Support direct filesystem (#7058)\n\n- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):", title: "Description of the patch", }, { category: "details", text: "openSUSE-2025-56", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0056-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2025:0056-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2025:0056-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/", }, { category: "self", summary: "SUSE Bug 1227010", url: "https://bugzilla.suse.com/1227010", }, { category: "self", summary: "SUSE Bug 1234512", url: "https://bugzilla.suse.com/1234512", }, { category: "self", summary: "SUSE Bug 1235265", url: "https://bugzilla.suse.com/1235265", }, { category: "self", summary: "SUSE CVE CVE-2024-34155 page", url: "https://www.suse.com/security/cve/CVE-2024-34155/", }, { category: "self", summary: "SUSE CVE CVE-2024-34156 page", url: "https://www.suse.com/security/cve/CVE-2024-34156/", }, { category: "self", summary: "SUSE CVE CVE-2024-34158 page", url: "https://www.suse.com/security/cve/CVE-2024-34158/", }, { category: "self", summary: "SUSE CVE CVE-2024-3817 page", url: "https://www.suse.com/security/cve/CVE-2024-3817/", }, { category: "self", summary: "SUSE CVE CVE-2024-45337 page", url: "https://www.suse.com/security/cve/CVE-2024-45337/", }, { category: "self", summary: "SUSE CVE CVE-2024-45338 page", url: "https://www.suse.com/security/cve/CVE-2024-45338/", }, { category: "self", summary: "SUSE CVE CVE-2025-21613 page", url: "https://www.suse.com/security/cve/CVE-2025-21613/", }, { category: "self", summary: "SUSE CVE CVE-2025-21614 page", url: "https://www.suse.com/security/cve/CVE-2025-21614/", }, ], title: "Security update for trivy", tracking: { current_release_date: "2025-02-07T11:01:31Z", generator: { date: "2025-02-07T11:01:31Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2025:0056-1", initial_release_date: "2025-02-07T11:01:31Z", revision_history: [ { date: "2025-02-07T11:01:31Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "trivy-0.58.2-bp156.2.6.1.aarch64", product: { name: "trivy-0.58.2-bp156.2.6.1.aarch64", product_id: "trivy-0.58.2-bp156.2.6.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-bp156.2.6.1.i586", product: { name: "trivy-0.58.2-bp156.2.6.1.i586", product_id: "trivy-0.58.2-bp156.2.6.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-bp156.2.6.1.ppc64le", product: { name: "trivy-0.58.2-bp156.2.6.1.ppc64le", product_id: "trivy-0.58.2-bp156.2.6.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-bp156.2.6.1.s390x", product: { name: "trivy-0.58.2-bp156.2.6.1.s390x", product_id: "trivy-0.58.2-bp156.2.6.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "trivy-0.58.2-bp156.2.6.1.x86_64", product: { name: "trivy-0.58.2-bp156.2.6.1.x86_64", product_id: "trivy-0.58.2-bp156.2.6.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP6", product: { name: "SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6", }, }, { category: "product_name", name: "openSUSE Leap 15.6", product: { name: "openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.6", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.aarch64 as component of SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", }, product_reference: "trivy-0.58.2-bp156.2.6.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.i586 as component of SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", }, product_reference: "trivy-0.58.2-bp156.2.6.1.i586", relates_to_product_reference: "SUSE Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.ppc64le as component of SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", }, product_reference: "trivy-0.58.2-bp156.2.6.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.s390x as component of SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", }, product_reference: "trivy-0.58.2-bp156.2.6.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.x86_64 as component of SUSE Package Hub 15 SP6", product_id: "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", }, product_reference: "trivy-0.58.2-bp156.2.6.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.aarch64 as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", }, product_reference: "trivy-0.58.2-bp156.2.6.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.i586 as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", }, product_reference: "trivy-0.58.2-bp156.2.6.1.i586", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.ppc64le as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", }, product_reference: "trivy-0.58.2-bp156.2.6.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.s390x as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", }, product_reference: "trivy-0.58.2-bp156.2.6.1.s390x", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "trivy-0.58.2-bp156.2.6.1.x86_64 as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", }, product_reference: "trivy-0.58.2-bp156.2.6.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.6", }, ], }, vulnerabilities: [ { cve: "CVE-2024-34155", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-34155", }, ], notes: [ { category: "general", text: "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-34155", url: "https://www.suse.com/security/cve/CVE-2024-34155", }, { category: "external", summary: "SUSE Bug 1230252 for CVE-2024-34155", url: "https://bugzilla.suse.com/1230252", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "moderate", }, ], title: "CVE-2024-34155", }, { cve: "CVE-2024-34156", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-34156", }, ], notes: [ { category: "general", text: "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-34156", url: "https://www.suse.com/security/cve/CVE-2024-34156", }, { category: "external", summary: "SUSE Bug 1230253 for CVE-2024-34156", url: "https://bugzilla.suse.com/1230253", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "moderate", }, ], title: "CVE-2024-34156", }, { cve: "CVE-2024-34158", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-34158", }, ], notes: [ { category: "general", text: "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-34158", url: "https://www.suse.com/security/cve/CVE-2024-34158", }, { category: "external", summary: "SUSE Bug 1230254 for CVE-2024-34158", url: "https://bugzilla.suse.com/1230254", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "moderate", }, ], title: "CVE-2024-34158", }, { cve: "CVE-2024-3817", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-3817", }, ], notes: [ { category: "general", text: "HashiCorp's go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-3817", url: "https://www.suse.com/security/cve/CVE-2024-3817", }, { category: "external", summary: "SUSE Bug 1226999 for CVE-2024-3817", url: "https://bugzilla.suse.com/1226999", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "low", }, ], title: "CVE-2024-3817", }, { cve: "CVE-2024-45337", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-45337", }, ], notes: [ { category: "general", text: "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-45337", url: "https://www.suse.com/security/cve/CVE-2024-45337", }, { category: "external", summary: "SUSE Bug 1234482 for CVE-2024-45337", url: "https://bugzilla.suse.com/1234482", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "important", }, ], title: "CVE-2024-45337", }, { cve: "CVE-2024-45338", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-45338", }, ], notes: [ { category: "general", text: "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-45338", url: "https://www.suse.com/security/cve/CVE-2024-45338", }, { category: "external", summary: "SUSE Bug 1234794 for CVE-2024-45338", url: "https://bugzilla.suse.com/1234794", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "important", }, ], title: "CVE-2024-45338", }, { cve: "CVE-2025-21613", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2025-21613", }, ], notes: [ { category: "general", text: "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2025-21613", url: "https://www.suse.com/security/cve/CVE-2025-21613", }, { category: "external", summary: "SUSE Bug 1235572 for CVE-2025-21613", url: "https://bugzilla.suse.com/1235572", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "important", }, ], title: "CVE-2025-21613", }, { cve: "CVE-2025-21614", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2025-21614", }, ], notes: [ { category: "general", text: "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2025-21614", url: "https://www.suse.com/security/cve/CVE-2025-21614", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x", "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x", "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2025-02-07T11:01:31Z", details: "important", }, ], title: "CVE-2025-21614", }, ], }
ghsa-q64h-39hv-4cf7
Vulnerability from github
Published
2024-04-17 21:30
Modified
2024-04-18 13:45
Severity ?
Summary
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
Details
When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
{ affected: [ { package: { ecosystem: "Go", name: "github.com/hashicorp/go-getter", }, ranges: [ { events: [ { introduced: "1.5.9", }, { fixed: "1.7.4", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2024-3817", ], database_specific: { cwe_ids: [ "CWE-88", ], github_reviewed: true, github_reviewed_at: "2024-04-18T13:45:52Z", nvd_published_at: "2024-04-17T20:15:08Z", severity: "CRITICAL", }, details: "When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.\n\nAn attacker may format a Git URL in order to inject additional Git arguments to the Git call.\n\nConsumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later. ", id: "GHSA-q64h-39hv-4cf7", modified: "2024-04-18T13:45:52Z", published: "2024-04-17T21:30:49Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-3817", }, { type: "WEB", url: "https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9", }, { type: "WEB", url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, { type: "PACKAGE", url: "https://github.com/hashicorp/go-getter", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], summary: "HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches", }
fkie_cve-2024-3817
Vulnerability from fkie_nvd
Published
2024-04-17 20:15
Modified
2024-11-21 09:30
Severity ?
Summary
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
References
Impacted products
| Vendor | Product | Version |
|---|
{ cveTags: [], descriptions: [ { lang: "en", value: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", }, { lang: "es", value: "La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2.", }, ], id: "CVE-2024-3817", lastModified: "2024-11-21T09:30:27.713", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "security@hashicorp.com", type: "Secondary", }, ], }, published: "2024-04-17T20:15:08.383", references: [ { source: "security@hashicorp.com", url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], sourceIdentifier: "security@hashicorp.com", vulnStatus: "Awaiting Analysis", weaknesses: [ { description: [ { lang: "en", value: "CWE-88", }, ], source: "security@hashicorp.com", type: "Secondary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.