Lucene search

Veracode Vulnerability DatabaseVERACODE:47120

HistoryMay 22, 2024 - 10:46 a.m.

Container Registry Credential Leak

2024-05-2210:46:32

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

trivy

vulnerability

registry domain validation

credential leakage

aws ecr

google cloud artifact

azure container registry

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Trivy is vulnerable to Container Registry Credential Leak. The vulnerability is due to insufficient registry domain validation which results in container registry credential leakage. An attacker must convince a user intro scanning a malicious container, which then allows an attacker to push/pull containers from AWS ECR, Google Cloud Artifact/Container Registry, or Azure Container Registry.

CPENameOperatorVersion
github.com/aquasecurity/trivylev0.51.1
github.com/aquasecurity/trivylev0.51.1

CPE	Name	Operator	Version
	github.com/aquasecurity/trivy	le	v0.51.1
	github.com/aquasecurity/trivy	le	v0.51.1

References

github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87

github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47120