Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/security/status.md

25 KiB
Raw Blame History

Vulnerability Report

Following is the vulnerability report of Fleet and its dependencies.

fleetdm/fleet docker image

CVE-2025-9230

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: Fleet uses Go cryptography packages.
  • Products:: fleet,pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-10-01 10:09:03

CVE-2025-69419

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet uses Go's crypto and TLS implementation.
  • Products:: fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2026-01-03 15:15:53

CVE-2025-61729

Statement:

  • Author: @lucasmrod
  • Status: fixed
  • Products:: fleet@v4.78.*
  • Timestamp: 2025-12-10 19:26:25

Statement:

  • Author: @lucasmrod
  • Status: affected
  • Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
  • Products:: fleet@v4.77.0,fleet@v4.76.0,fleet@v4.76.1,fleet@v4.75.0,fleet@v4.75.1,pkg:golang/stdlib@1.25.3
  • Action statement: No action statement provided
  • Timestamp: 2025-12-10 19:26:10

CVE-2025-46569

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet does not use OPA in server mode, it uses it as a library.
  • Products:: fleet,pkg:golang/github.com/open-policy-agent/opa@v0.44.0,pkg:golang/github.com/open-policy-agent/opa@0.44.0
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-05-05 20:29:07

CVE-2025-30204

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The token format being validated before the call to ParseUnverified.
  • Products:: fleet,pkg:golang/github.com/golang-jwt/jwt/v4
  • Justification: inline_mitigations_already_exist
  • Timestamp: 2025-04-10 15:23:54

CVE-2025-27509

Statement:

  • Author: @lucasmrod
  • Status: fixed
  • Products:: pkg:golang/github.com/fleetdm/fleet/v4,cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*
  • Timestamp: 2025-05-12 16:30:30

Statement:

  • Author: @lucasmrod
  • Status: affected
  • Products:: cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:*
  • Action statement: Disable SAML SSO authentication.
  • Timestamp: 2025-05-12 16:13:23

CVE-2025-26519

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet does not perform any EUC-KR to UTF-8 translation by libc.
  • Products:: fleet,pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-14 16:30:01

CVE-2025-22874

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
  • Products:: fleet,pkg:golang/stdlib@1.24.2
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-06-23 16:48:42

CVE-2025-21614

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:: fleet,pkg:golang/github.com/go-git/go-git/v5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 15:43:15

CVE-2025-21613

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:: fleet,pkg:golang/github.com/go-git/go-git/v5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 15:42:55

CVE-2025-15467

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet uses Go's crypto and TLS implementation.
  • Products:: fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2026-01-03 15:15:53

CVE-2024-8260

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: Fleet doesn't run on Windows, so it's not affected by this vulnerability.
  • Products:: fleet,pkg:golang/github.com/open-policy-agent/opa
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-05-05 20:54:14

CVE-2024-12797

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet uses Go TLS implementation.
  • Products:: fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 15:15:53

CVE-2023-32698

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:: fleet,pkg:golang/github.com/goreleaser/nfpm/v2
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 15:28:30

fleetdm/fleetctl docker image

CVE-2026-24515

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined.
  • Products:: fleetctl,pkg:deb/debian/libexpat1
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2026-01-03 15:15:53

CVE-2026-23517

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
  • Products:: fleetctl,pkg:golang/github.com/fleetdm/fleet/v4
  • Justification: component_not_present
  • Timestamp: 2026-01-30 09:25:41

CVE-2025-69419

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet uses Go's crypto and TLS implementation.
  • Products:: fleetctl,pkg:deb/debian/libssl3,pkg:deb/debian/openssl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2026-01-03 15:15:53

CVE-2025-66516

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents.
  • Products:: fleetctl,pkg:maven/org.apache.tika/tika-core
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-10 18:12:45

CVE-2025-66293

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
  • Products:: fleetctl,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-10 19:04:58

CVE-2025-65018

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
  • Products:: fleetctl,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-10 19:04:42

CVE-2025-64720

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
  • Products:: fleetctl,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-10 19:04:07

CVE-2025-61729

Statement:

  • Author: @lucasmrod
  • Status: fixed
  • Products:: fleetctl@v4.78.*
  • Timestamp: 2025-12-10 19:26:44

Statement:

  • Author: @lucasmrod
  • Status: affected
  • Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
  • Products:: fleetctl@v4.77.0,fleetctl@v4.76.0,fleetctl@v4.76.1,fleetctl@v4.75.0,fleetctl@v4.75.1,pkg:golang/stdlib@1.25.3
  • Action statement: No action statement provided
  • Timestamp: 2025-12-10 19:26:35

CVE-2025-49796

  • Author: @sgress454
  • Status: not_affected
  • Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
  • Products:: fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-06-13 15:57:38

CVE-2025-49795

  • Author: @sgress454
  • Status: not_affected
  • Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
  • Products:: fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-06-13 15:57:25

CVE-2025-49794

  • Author: @sgress454
  • Status: not_affected
  • Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apples iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
  • Products:: fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-06-13 15:56:50

CVE-2025-48734

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
  • Products:: fleetctl,pkg:maven/commons-beanutils/commons-beanutils
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-06-02 07:33:44

CVE-2025-46569

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use OPA.
  • Products:: fleetctl,pkg:golang/github.com/open-policy-agent/opa
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-05-06 07:47:31

CVE-2025-41249

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: Vulnerability affects web servers, not fleetctl.
  • Products:: fleetctl,pkg:maven/org.springframework/spring-core
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-09-22 10:27:40

CVE-2025-31115

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use liblzma5.
  • Products:: fleetctl,pkg:deb/debian/liblzma5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-09 13:24:20

CVE-2025-27509

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
  • Products:: fleetctl,pkg:golang/github.com/fleetdm/fleet/v4
  • Justification: component_not_present
  • Timestamp: 2025-09-12 09:25:41

CVE-2025-15467

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl uses Go's crypto and TLS implementation.
  • Products:: fleetctl,pkg:deb/debian/openssl,pkg:deb/debian/libssl3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2026-01-03 15:15:53

CVE-2024-7254

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java.
  • Products:: fleetctl,pkg:maven/com.google.protobuf/protobuf-java
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 07:34:26

CVE-2023-6879

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use libaom3.
  • Products:: fleetctl,pkg:deb/debian/libaom3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15 10:28:21

CVE-2023-45853

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use zlib C library.
  • Products:: fleetctl,pkg:deb/debian/zlib1g
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15 10:17:19

CVE-2023-32698

  • Author: @getvictor
  • Status: not_affected
  • Status notes: When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
  • Products:: fleetctl,pkg:golang/github.com/goreleaser/nfpm/v2
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-04-09 10:26:02

CVE-2019-10202

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java.
  • Products:: fleetctl,pkg:maven/org.codehaus.jackson/jackson-mapper-asl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15 10:31:31

CVE-2013-4002

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java.
  • Products:: fleetctl,pkg:maven/xerces/xercesImpl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 07:36:31

CVE-2012-0881

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java.
  • Products:: fleetctl,pkg:maven/xerces/xercesImpl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10 14:46:52

fleetdm/wix docker image

CVE-2025-66293

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
  • Products:: wix,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-19 18:03:45

CVE-2025-65018

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
  • Products:: wix,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-19 18:03:33

CVE-2025-64720

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
  • Products:: wix,pkg:deb/debian/libpng16-16
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-12-19 18:02:56

CVE-2023-31484

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The WiX toolset is unaffected by the perl vulnerability.
  • Products:: wix,pkg:deb/debian/perl-base
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-10-01 08:36:42

fleetdm/bomutils docker image

No vulnerabilities tracked at the moment.