mirror of
https://github.com/fleetdm/fleet
synced 2026-04-27 00:17:21 +00:00
ed8506dd77
This PR adds VEX statement files for three vulverabilities: ``` ┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │ │ │ │ │ │ │ │ (DoS)... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │ │ │ │ │ │ │ │ (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │ └─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` the vulnerabilities in libxml2 do not affect fleetctl, since the attack vector is DoS and fleetctl is not a server tool. Additionally the libxml2 package isn't used by fleetctl directly, but by the tools it uses for code signing, which don't parse untrusted XML.
26 lines
1.1 KiB
JSON
26 lines
1.1 KiB
JSON
{
|
||
"@context": "https://openvex.dev/ns/v0.2.0",
|
||
"@id": "https://openvex.dev/docs/public/vex-c1cf95164110186b3a59e9e45be982301ad580c2d950b33d2537cb4461ab9bf1",
|
||
"author": "@sgress454",
|
||
"timestamp": "2025-06-13T15:57:25.659708-05:00",
|
||
"version": 1,
|
||
"statements": [
|
||
{
|
||
"vulnerability": {
|
||
"name": "CVE-2025-49795"
|
||
},
|
||
"timestamp": "2025-06-13T15:57:25.659709-05:00",
|
||
"products": [
|
||
{
|
||
"@id": "fleetctl"
|
||
},
|
||
{
|
||
"@id": "pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1"
|
||
}
|
||
],
|
||
"status": "not_affected",
|
||
"status_notes": "The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.",
|
||
"justification": "vulnerable_code_cannot_be_controlled_by_adversary"
|
||
}
|
||
]
|
||
}
|