Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Add VEX for CVE-2025-22874 and generate report (#30258)

Browse source 
We missed to add this when we upgraded Go to 1.24.4.
Report
https://github.com/fleetdm/fleet/actions/runs/15626203997/job/44020838145

How to test (with and without the new VEX file):
```
docker scout cves --only-fixed --vex-location=./security/vex/fleet --only-vex-affected --only-severity high,critical fleetdm/fleet:v4.69.0
```
This commit is contained in:
Lucas Manuel Rodriguez 2025-06-25 15:13:34 -03:00 committed by GitHub
parent e74e30105b
commit 83961c0d02
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
security/status.md
View file

@ -43,6 +43,14 @@ Following is the vulnerability report of Fleet and its dependencies.
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-14 16:30:01
### [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
- **Products:**: `fleet`,`pkg:golang/stdlib@1.24.2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-23 16:48:42
### [CVE-2025-21614](https://nvd.nist.gov/vuln/detail/CVE-2025-21614)
- **Author:** @lucasmrod
- **Status:** `not_affected`

26
security/vex/fleet/CVE-2025-22874.vex.json Normal file
View file

@ -0,0 +1,26 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-884858bd8439aa35a1ed9b844ed7d2ff8e1adb3f811c99662fde8eaac5b40475",
"author": "@lucasmrod",
"timestamp": "2025-06-23T16:48:42.096441-03:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2025-22874"
},
"timestamp": "2025-06-23T16:48:42.096442-03:00",
"products": [
{
"@id": "fleet"
},
{
"@id": "pkg:golang/stdlib@1.24.2"
}
],
"status": "not_affected",
"status_notes": "Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions)",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
}
]
}