CVE-2024-35192

2024-05-2021:15:09

CWE-522

GitHub_M

web.nvd.nist.gov

trivy

security scanner

0.51.2

malicious actor

crafted registry

credentials leakage

aws ecr

google cloud artifact

azure acr

default credential provider

scanning vulnerability

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

6.2

Confidence

Low

EPSS

Percentile

9.0%

JSON

Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.

Affected configurations

Vulners

Node

aquasecuritytrivyRange<0.51.2

VendorProductVersionCPE
aquasecuritytrivy*cpe:2.3:a:aquasecurity:trivy:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aquasecurity	trivy	*	cpe:2.3:a:aquasecurity:trivy::::::::

CNA Affected

[
  {
    "vendor": "aquasecurity",
    "product": "trivy",
    "versions": [
      {
        "version": "< 0.51.2",
        "status": "affected"
      }
    ]
  }
]