CVE-2024-35192

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35192
Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87
https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj
https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87
https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87 - () https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87 -
References () https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj - () https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj -
Summary
  • (es) Trivy es un escáner de seguridad. Antes de la versión 0.51.2, si un actor malicioso puede activar Trivy para escanear imágenes de contenedores desde un registro malicioso manipulado, podría resultar en la fuga de credenciales para registros legítimos como AWS Elastic Container Registry (ECR), Google Cloud Artifact/ Registro de contenedores o Registro de contenedores de Azure (ACR). Estos tokens se pueden usar para enviar/extraer imágenes de aquellos registros a los que tiene acceso la identidad/usuario que ejecuta Trivy. Los sistemas no se ven afectados si la cadena de proveedores de credenciales predeterminada no puede obtener credenciales válidas. Esta vulnerabilidad solo se aplica al escanear imágenes de contenedores directamente desde un registro. Esta vulnerabilidad se solucionó en 0.51.2.

20 May 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-20 21:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35192

Mitre link : CVE-2024-35192

CVE.ORG link : CVE-2024-35192

JSON object : View

Products Affected

No product.

CWE
CWE-522

Insufficiently Protected Credentials


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024