Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Fix CVE fleetdm/fleet alerts (#42314)

Browse source 
Fixes
https://github.com/fleetdm/fleet/actions/runs/23476076250/job/68309012488.

Runs:
- https://github.com/fleetdm/fleet/actions/runs/23498265614
This commit is contained in:
Lucas Manuel Rodriguez 2026-03-24 17:38:46 -03:00 committed by GitHub
parent 3aa63d804b
commit 8b3674bc55
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
security/status.md
View file

@ -5,6 +5,14 @@ Following is the vulnerability report of Fleet and its dependencies.
## `fleetdm/fleet` docker image
### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.
- **Products:**: `fleet`,`pkg:golang/google.golang.org/grpc`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-24 12:38:53
### [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184)
- **Author:** @lucasmrod
- **Status:** `not_affected`

26
security/vex/fleet/CVE-2026-33186.vex.json Normal file
View file

@ -0,0 +1,26 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-26fc626bd7a7e4809e2e1c121ca89a92b091114d7ea6c561588a97d09004fd09",
"author": "@lucasmrod",
"timestamp": "2026-03-24T12:38:53.719336-03:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2026-33186"
},
"timestamp": "2026-03-24T12:38:53.719337-03:00",
"products": [
{
"@id": "fleet"
},
{
"@id": "pkg:golang/google.golang.org/grpc"
}
],
"status": "not_affected",
"status_notes": "There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
}
]
}