CVE-2024-35192

Description

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

Affected packages (2)

• Go/github.com/aquasecurity/trivyfrom 0, < 0.51.2
• Go/github.com/aquasecurity/trivyfrom 0, < 0.51.2

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-35192
• PATCHhttps://github.com/aquasecurity/trivy
• WEBhttps://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87
• WEBhttps://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj