AIKIDO-2024-10101
github.com/aquasecurity/trivy is vulnerable to Insufficiently Protected Credentials
45
Medium Risk
This Affects:
github.com/aquasecurity/trivyTL;DR
Affected versions of the package expose confidential information. If a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range. You are not affected if the default credential provider chain is unable to obtain valid credentials.
Background info
github.com/aquasecurity/trivy is vulnerable to Insufficiently Protected Credentials in versions 0.29.2 - 0.51.1.
How to fix this
Upgrade the github.com/aquasecurity/trivy library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant