You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Moby authz zero length regression in github.com/moby/moby
Authentication Bypass Using an Alternate Path or Channel
Affected range
<29.3.1
Fixed version
Not Fixed
CVSS Score
8.8
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.014%
EPSS Percentile
2nd percentile
Description
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately:
Avoid using AuthZ plugins that rely on request body inspection for security decisions.
Restrict access to the Docker API to trusted parties, following the principle of least privilege.
A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.
Plugins that request exactly one privilege are also affected, because no comparison is performed at all.
Impact
If plugins are not in use, there is no impact.
When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.
Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.
Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.
For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.
Workarounds
If unable to update immediately:
Do not install plugins from untrusted sources
Carefully review all privileges requested during docker plugin install
Restrict access to the Docker daemon to trusted parties, following the principle of least privilege
Avoid relying on plugin privilege approval as the only control boundary for sensitive environments
Credits
Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)
stdlib1.25.8 (golang)
pkg:golang/stdlib@1.25.8
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.021%
EPSS Percentile
6th percentile
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.021%
EPSS Percentile
6th percentile
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.021%
EPSS Percentile
6th percentile
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.008%
EPSS Percentile
1st percentile
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.014%
EPSS Percentile
3rd percentile
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Affected range
<1.25.9
Fixed version
1.25.9
EPSS Score
0.006%
EPSS Percentile
0th percentile
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.
Impact
In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.
Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).
In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.
The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.
Patches
The patch has been released in v0.104.1.
Workaround
Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the [github.com/docker/cli/cli-plugins/manager](https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager) package, which is consumed by downstream projects such as Docker Compose.
Docker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see docker/compose#12300), and is fixed in v5.1.0.
This issue does not impact non-Windows binaries or projects that do not use the plugin manager code.
Patches
Fixed version starts with 29.2.0
This issue was fixed in docker/cli@1375933 (docker/cli#6713), which removed %PROGRAMDATA%\Docker\cli-plugins from the list of paths used for plugin-discovery on Windows.
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
Affected range
>=0
Fixed version
Not Fixed
EPSS Score
0.141%
EPSS Percentile
34th percentile
Description
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.
This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb.
Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available.
Patches
The patch has been released in v1.42.3
Syft now cleans up temporary files when an error condition is encountered.
Workarounds
There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nicholasdille-bot
left a comment
This PR contains the following updates:
4.0.3→4.0.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
kubescape/kubescape (kubescape)
v4.0.4Compare Source
Changelog
979b755Merge pull request #1952 from kubescape/dependabot/go_modules/google.golang.org/grpc-1.79.3ee4bd16Merge pull request #1954 from kubescape/dependabot/go_modules/golang.org/x/image-0.38.07b5b9c4Merge pull request #1955 from kubescape/dependabot/go_modules/github.com/go-git/go-git/v5-5.17.1a437e7aMerge pull request #1956 from kubescape/dependabot/go_modules/github.com/cilium/cilium-1.17.1407873b3Merge pull request #1957 from kubescape/dependabot/go_modules/github.com/cloudflare/circl-1.6.3c49e723Merge pull request #1958 from kubescape/dependabot/go_modules/github.com/moby/buildkit-0.28.1cb08f4cMerge pull request #1962 from Mujib-Ahasan/duplicate-flag-scan-imagefd3c1d0Merge pull request #1965 from Mujib-Ahasan/error-handling1b2db6dMerge pull request #1966 from kubescape/dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4b4f5151Merge pull request #1967 from kubescape/dependabot/go_modules/github.com/hashicorp/go-getter-1.8.66994b94Merge pull request #1968 from kubescape/dependabot/go_modules/helm.sh/helm/v3-3.20.23588f2cMerge pull request #1969 from kubescape/dependabot/go_modules/github.com/sigstore/timestamp-authority/v2-2.0.683f4b29Merge pull request #1970 from kubescape/dependabot/go_modules/go.opentelemetry.io/otel/sdk-1.43.0032fe64Merge pull request #1971 from kubescape/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3a2710cfMerge pull request #1972 from kubescape/dependabot/go_modules/go.opentelemetry.io/otel/sdk-1.43.0069c5b2Merge pull request #1973 from kubescape/dependabot/go_modules/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp-1.43.0685756aMerge pull request #1974 from kubescape/dependabot/go_modules/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp-1.43.0804d41cMerge pull request #1977 from kubescape/bumpa9195eaMerge pull request #1978 from kubescape/dependabot/go_modules/github.com/moby/spdystream-0.5.1033a733build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s31b32d97build(deps): Bump github.com/cilium/cilium from 1.16.17 to 1.17.144de4a5ebuild(deps): Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3b8b36ecbuild(deps): Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.13fa30ccbuild(deps): Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4915876ebuild(deps): Bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.61c531c9build(deps): Bump github.com/moby/buildkit from 0.26.1 to 0.28.1bdb3087build(deps): Bump github.com/moby/spdystream from 0.5.0 to 0.5.1c3c605bbuild(deps): Bump github.com/sigstore/timestamp-authority/v2b6d6c5abuild(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp163d8cfbuild(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttpf91cb09build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0b020215build(deps): Bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0119d23fbuild(deps): Bump golang.org/x/image from 0.25.0 to 0.38.062f42a3build(deps): Bump google.golang.org/grpc from 1.78.0 to 1.79.3104f668build(deps): Bump helm.sh/helm/v3 from 3.18.5 to 3.20.25b3c2b9error handling improved71fdd36fix: duplicate flags removed from image.gobbf5b33use go-logger v0.0.28Released by GoReleaser.
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.