You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.
Impact
In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.
Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).
In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.
The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.
Patches
The patch has been released in v0.104.1.
Workaround
Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Affected range
>=0
Fixed version
Not Fixed
Description
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range
<=1.10.3
Fixed version
1.10.4
CVSS Score
5.8
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Description
Summary
The legacy TUF client pkg/tuf/client.go, which supports caching target files to disk, constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata, but it does not validate that the resulting path stays within the cache base directory.
Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. As this TUF client implementation is deprecated, users should migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf as soon as possible.
Note that this does not affect users of the public Sigstore deployment, where TUF metadata is validated by a quorum of trusted collaborators.
Impact
A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has.
rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.0.47→3.0.48Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
kubescape/kubescape (kubescape/kubescape)
v3.0.48Compare Source
Changelog
3f3681aAdd SkipPersistence flag to MetricsQueryParams in metrics endpoint32a15acAdd test for CheckShortTerminalWidth with non-string values7ca609dComplete fix for workload scan missing controlsc32e665Final verification - all changes complete82ec11bFix indentation in test file0e4ff13Fix typos in documentation837a50cFix unsafe interface to string type assertions to prevent panicea12643Fix workflow YAML formatting and permissions872c0c9Fix workload scan to include allcontrols frameworkbd00d15Initial plan9353eb5Initial plan1225540Merge pull request #1913 from oglok/fix-typos-in-docs3b6bc00Merge pull request #1914 from majiayu000/fix-1617-kustomize-directory-analysis-n-1231-0603d6ccc37Merge pull request #1915 from majiayu000/fix-1660-define-labels-to-copy-from-wor-1231-0603423d9c5Merge pull request #1917 from BroderPeters/master9d876b1Merge pull request #1918 from AndrewCharlesHay/patch-19445e0aMerge pull request #1920 from kubescape/dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.4aa62fbeMerge pull request #1921 from kubescape/buildnumber4d3b3efMerge pull request #1922 from kubescape/copilot/fix-kubescape-report-discrepancy3060500Merge pull request #1923 from kubescape/dependabot/go_modules/github.com/sigstore/fulcio-1.8.50cf24d0Merge pull request #1926 from kubescape/copilot/fix-kubescan-interface-error09aa1abMerge pull request #1927 from kubescape/dependabot/go_modules/github.com/theupdateframework/go-tuf/v2-2.3.16ce0121Merge pull request #1928 from kubescape/dependabot/go_modules/github.com/sigstore/rekor-1.5.08984f94Update README to include GoReleaser installation and usage instructions75fb07eUpdate build number retrieval and permissions in workflow08d964bUpdate golangci-lint action to version 90c42b41build(deps): Bump github.com/sigstore/cosign/v3413db87build(deps): Bump github.com/sigstore/fulcio from 1.8.4 to 1.8.50ec188bbuild(deps): Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0090820bbuild(deps): Bump github.com/theupdateframework/go-tuf/v28952336ci: update scorecard action version46eb266feat: add labels-to-copy flag to copy workload labels to reports0f21258fix: enable kustomize overlays to load base configurations351f957update test lists (#1919)Released by GoReleaser.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.