Add ignore to CVE found in fleetdm/fleetctl (#42711)

Fixes: https://github.com/fleetdm/fleet/actions/runs/23783786066/job/69302104997 Test runs: - https://github.com/fleetdm/fleet/actions/runs/23798426124 - https://github.com/fleetdm/fleet/actions/runs/23798449109
2026-04-21 13:37:30 +00:00 · 2026-03-31 10:27:07 -03:00 · 2026-03-31 10:27:07 -03:00 · 93a782ab61
commit 93a782ab61
parent 85c8d050d0
3 changed files with 68 additions and 0 deletions
--- a/security/status.md
+++ b/security/status.md
@ -172,6 +172,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-23 16:44:57

+### [CVE-2026-33487](https://nvd.nist.gov/vuln/detail/CVE-2026-33487)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** Possible vulnerability in SSO service providers, not in fleetctl command line tool.
+- **Products:**: `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-31 09:54:45
+
 ### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
@ -188,6 +196,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:33:34

+### [CVE-2026-26061](https://nvd.nist.gov/vuln/detail/CVE-2026-26061)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** Vulnerability in fleet server, not fleetctl.
+- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-31 09:36:31
+
 ### [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
--- a/security/vex/fleetctl/CVE-2026-26061.vex.json
+++ b/security/vex/fleetctl/CVE-2026-26061.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-c3d1500d01bf594e793a428bdcd4dba61a540515b8cbf918a8b95f825e1a75ab",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-31T09:36:31.598724-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-26061"
+      },
+      "timestamp": "2026-03-31T09:36:31.598725-03:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/github.com/fleetdm/fleet/v4"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "Vulnerability in fleet server, not fleetctl",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/fleetctl/CVE-2026-33487.vex.json
+++ b/security/vex/fleetctl/CVE-2026-33487.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-629cb182205463bf916cf0c9cf3b195574eafefb26a4d41b61f8b0168209c77c",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-31T09:54:45.712017-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-33487"
+      },
+      "timestamp": "2026-03-31T09:54:45.712017-03:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/github.com/russellhaering/goxmldsig"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "Possible vulnerability in SSO service providers, not in fleetctl command line tool",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}