Fix security warnings on fleetdm/fleetctl (#42276)

Fixes: https://github.com/fleetdm/fleet/actions/runs/23424438962 New runs: - Local: https://github.com/fleetdm/fleet/actions/runs/23463124995. - Remote: https://github.com/fleetdm/fleet/actions/runs/23463145956.
2026-04-21 13:37:30 +00:00 · 2026-03-24 12:10:29 -03:00 · 2026-03-24 12:10:29 -03:00 · ec9610bcea
commit ec9610bcea
parent be0f0b29cd
4 changed files with 102 additions and 0 deletions
--- a/security/status.md
+++ b/security/status.md
@ -156,6 +156,22 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:30:33

+### [GHSA-479m-364c-43vc](https://nvd.nist.gov/vuln/detail/GHSA-479m-364c-43vc)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl does not validate any XML signatures.
+- **Products:**: `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-23 16:44:57
+
+### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
+- **Products:**: `fleetctl`,`pkg:golang/google.golang.org/grpc`
+- **Justification:** `vulnerable_code_not_in_execute_path`
+- **Timestamp:** 2026-03-23 19:20:41
+
 ### [CVE-2026-27465](https://nvd.nist.gov/vuln/detail/CVE-2026-27465)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
@ -164,6 +180,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:33:34

+### [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
+- **Products:**: `fleetctl`,`pkg:golang/stdlib`
+- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
+- **Timestamp:** 2026-03-23 19:12:15
+
 ### [CVE-2026-24515](https://nvd.nist.gov/vuln/detail/CVE-2026-24515)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
--- a/security/vex/fleetctl/CVE-2026-25679.vex.json
+++ b/security/vex/fleetctl/CVE-2026-25679.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-d164b4b98491cc23a9eb0e24dcd2e664a37f4b81edac9c258e61643b03db8eaa",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-23T19:12:15.612602-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-25679"
+      },
+      "timestamp": "2026-03-23T19:12:15.612603-03:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/stdlib"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+    }
+  ]
+}
--- a/security/vex/fleetctl/CVE-2026-33186.vex.json
+++ b/security/vex/fleetctl/CVE-2026-33186.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-2eb690748f08fc3eba86592fa6fd6d10320b88854f924de2e4db1132068f14f2",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-23T19:20:41.389184-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2026-33186"
+      },
+      "timestamp": "2026-03-23T19:20:41.389186-03:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/google.golang.org/grpc"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}
--- a/security/vex/fleetctl/GHSA-479m-364c-43vc.vex.json
+++ b/security/vex/fleetctl/GHSA-479m-364c-43vc.vex.json
@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-39ac4ea905da60153211f8f9904c3e18cf56676c48242d8694953cd10f05ff15",
+  "author": "@lucasmrod",
+  "timestamp": "2026-03-23T16:44:57.349455-03:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "GHSA-479m-364c-43vc"
+      },
+      "timestamp": "2026-03-23T16:44:57.349455-03:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/github.com/russellhaering/goxmldsig"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "fleetctl does not validate any XML signatures",
+      "justification": "vulnerable_code_not_in_execute_path"
+    }
+  ]
+}