Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 106
fleet/security/status.md

216 lines
18 KiB
Markdown
Raw Normal View History

Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
<!-- DO NOT EDIT. This document is automatically generated by running `make vex-report`. -->
# Vulnerability Report
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
Following is the vulnerability report of Fleet and its dependencies.
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
## `fleetdm/fleet` docker image
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleet does not use OPA in server mode, it uses it as a library.
- **Products:**: `fleet`,`pkg:golang/github.com/open-policy-agent/opa@v0.44.0`,`pkg:golang/github.com/open-policy-agent/opa@0.44.0`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-05-05 20:29:07
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** The token format being validated before the call to ParseUnverified.
- **Products:**: `fleet`,`pkg:golang/github.com/golang-jwt/jwt/v4`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Justification:** `inline_mitigations_already_exist`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 15:23:54
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509)
#### Statement:
- **Author:** @lucasmrod
- **Status:** `fixed`
Fix vulnerability report in fleetdm/fleet and properly fix in fleetdm… (#33026)
2025-09-16 17:06:45 +00:00
- **Products:**: `pkg:golang/github.com/fleetdm/fleet/v4`,`cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-05-12 16:30:30
#### Statement:
- **Author:** @lucasmrod
- **Status:** `affected`
- **Products:**: `cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*
- **Action statement:** `Disable SAML SSO authentication.`
- **Timestamp:** 2025-05-12 16:13:23
### [CVE-2025-26519](https://nvd.nist.gov/vuln/detail/CVE-2025-26519)
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleet does not perform any EUC-KR to UTF-8 translation by libc.
- **Products:**: `fleet`,`pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-14 16:30:01
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Add VEX for CVE-2025-22874 and generate report (#30258) We missed to add this when we upgraded Go to 1.24.4. Report https://github.com/fleetdm/fleet/actions/runs/15626203997/job/44020838145 How to test (with and without the new VEX file): ``` docker scout cves --only-fixed --vex-location=./security/vex/fleet --only-vex-affected --only-severity high,critical fleetdm/fleet:v4.69.0 ```
2025-06-25 18:13:34 +00:00
### [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
- **Products:**: `fleet`,`pkg:golang/stdlib@1.24.2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-23 16:48:42
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-21614](https://nvd.nist.gov/vuln/detail/CVE-2025-21614)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 15:43:15
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-21613](https://nvd.nist.gov/vuln/detail/CVE-2025-21613)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 15:42:55
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2024-8260](https://nvd.nist.gov/vuln/detail/CVE-2024-8260)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Status notes:** Fleet doesn't run on Windows, so it's not affected by this vulnerability.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleet`,`pkg:golang/github.com/open-policy-agent/opa`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-05-05 20:54:14
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2024-12797](https://nvd.nist.gov/vuln/detail/CVE-2024-12797)
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleet uses Go TLS implementation.
- **Products:**: `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 15:15:53
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleet`,`pkg:golang/github.com/goreleaser/nfpm/v2`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 15:28:30
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
## `fleetdm/fleetctl` docker image
Add VEX statements for libxml2 CVEs (#30011) This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.
2025-06-13 22:00:49 +00:00
### [CVE-2025-49796](https://nvd.nist.gov/vuln/detail/CVE-2025-49796)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
Generate new osquery 5.18.1 flags, catch up VEX report (#31648) Adding new flags added to osquery 5.18.1.
2025-08-08 13:49:23 +00:00
- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
Add VEX statements for libxml2 CVEs (#30011) This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.
2025-06-13 22:00:49 +00:00
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:57:38
### [CVE-2025-49795](https://nvd.nist.gov/vuln/detail/CVE-2025-49795)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:57:25
### [CVE-2025-49794](https://nvd.nist.gov/vuln/detail/CVE-2025-49794)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
Generate new osquery 5.18.1 flags, catch up VEX report (#31648) Adding new flags added to osquery 5.18.1.
2025-08-08 13:49:23 +00:00
- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
Add VEX statements for libxml2 CVEs (#30011) This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.
2025-06-13 22:00:49 +00:00
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:56:50
Mark `CVE-2025-48734` as not affected (#29692) https://fleetdm.slack.com/archives/C019WG4GH0A/p1748758788762129
2025-06-02 16:53:40 +00:00
### [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
Microsoft Compliance Partner backend changes (#29540) For #27042. Ready for review, just missing integration tests that I will be writing today. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [X] If database migrations are included, checked table schema to confirm autoupdate - For new Fleet configuration settings - [X] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. If managing via Gitops: - [X] Verified that the setting is exported via `fleetctl generate-gitops` - [X] Added the setting to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [X] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [x] Verified that any relevant UI is disabled when GitOps mode is enabled - For database migrations: - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [X] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com> Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-06-11 17:22:46 +00:00
- **Products:**: `fleetctl`,`pkg:maven/commons-beanutils/commons-beanutils`
Mark `CVE-2025-48734` as not affected (#29692) https://fleetdm.slack.com/archives/C019WG4GH0A/p1748758788762129
2025-06-02 16:53:40 +00:00
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-02 07:33:44
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Status notes:** fleetctl does not use OPA.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleetctl`,`pkg:golang/github.com/open-policy-agent/opa`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-05-06 07:47:31
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Skip CVE in fleetctl (#33267) Fixes https://github.com/fleetdm/fleet/actions/runs/17906206819.
2025-09-22 21:55:08 +00:00
### [CVE-2025-41249](https://nvd.nist.gov/vuln/detail/CVE-2025-41249)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Vulnerability affects web servers, not fleetctl.
- **Products:**: `fleetctl`,`pkg:maven/org.springframework/spring-core`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-09-22 10:27:40
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2025-31115](https://nvd.nist.gov/vuln/detail/CVE-2025-31115)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use liblzma5.
- **Products:**: `fleetctl`,`pkg:deb/debian/liblzma5`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-09 13:24:20
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Add VEX rule to remove CVE-2025-27509 false positive on fleetctl (#32914)
2025-09-12 13:54:46 +00:00
### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
Fix vulnerability report in fleetdm/fleet and properly fix in fleetdm… (#33026)
2025-09-16 17:06:45 +00:00
- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
Add VEX rule to remove CVE-2025-27509 false positive on fleetctl (#32914)
2025-09-12 13:54:46 +00:00
- **Justification:** `component_not_present`
- **Timestamp:** 2025-09-12 09:25:41
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254)
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use Java.
- **Products:**: `fleetctl`,`pkg:maven/com.google.protobuf/protobuf-java`
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 07:34:26
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2023-6879](https://nvd.nist.gov/vuln/detail/CVE-2023-6879)
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Author:** @lucasmrod
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use libaom3.
- **Products:**: `fleetctl`,`pkg:deb/debian/libaom3`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-15 10:28:21
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853)
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use zlib C library.
- **Products:**: `fleetctl`,`pkg:deb/debian/zlib1g`
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-15 10:17:19
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698)
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Author:** @getvictor
- **Status:** `not_affected`
- **Status notes:** When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Products:**: `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2`
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-09 10:26:02
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-05-06 16:35:27 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2019-10202](https://nvd.nist.gov/vuln/detail/CVE-2019-10202)
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use Java.
- **Products:**: `fleetctl`,`pkg:maven/org.codehaus.jackson/jackson-mapper-asl`
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-15 10:31:31
Run `make generate-doc` (#28595) PRs are failing due to mismatch in auto-generated docs: https://github.com/fleetdm/fleet/actions/runs/14685592347/job/41213770932?pr=28531 Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-04-28 15:11:45 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2013-4002](https://nvd.nist.gov/vuln/detail/CVE-2013-4002)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use Java.
- **Products:**: `fleetctl`,`pkg:maven/xerces/xercesImpl`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 07:36:31
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
### [CVE-2012-0881](https://nvd.nist.gov/vuln/detail/CVE-2012-0881)
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Author:** @lucasmrod
- **Status:** `not_affected`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Status notes:** fleetctl does not use Java.
- **Products:**: `fleetctl`,`pkg:maven/xerces/xercesImpl`
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
- **Justification:** `vulnerable_code_not_in_execute_path`
Iterate `status.md` for reporting vulnerability updates (#29062) For #28805. See scenario we want to support in the linked issue. --------- Co-authored-by: Scott Gress <scottmgress@gmail.com>
2025-05-16 00:15:37 +00:00
- **Timestamp:** 2025-04-10 14:46:52
Add scanning to released images and process to track vulnerabilities (#28087) For #25902. --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2025-04-16 14:50:10 +00:00
Reference in a new issue Copy permalink