Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-21 07:58:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 110
fleet/security/status.md
Lucas Manuel Rodriguez bfe3b186d3
Fix detected CVEs and docker scout exit code to fail the Github Action (#28836) 
For #28837.

Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.

- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.

---

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
2025-05-06 13:35:27 -03:00

5.9 KiB
Raw Blame History

Vulnerability Report

Following is the vulnerability report of Fleet components.

fleetdm/fleet docker image

CVE-2025-46569

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet does not use OPA in server mode, it uses it as a library
  • Products:
    • fleet
    • pkg:golang/github.com/open-policy-agent/opa@0.44.0
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-05-05T20:29:07.016171-03:00

CVE-2025-30204

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The token format being validated before the call to ParseUnverified
  • Products:
    • fleet
    • pkg:golang/github.com/golang-jwt/jwt/v4
  • Justification: inline_mitigations_already_exist
  • Timestamp: 2025-04-10T15:23:54.60648-03:00

CVE-2025-26519

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet does not perform any EUC-KR to UTF-8 translation by libc
  • Products:
    • fleet
    • pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-14T16:30:01.904498-03:00

CVE-2025-21614

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:
    • fleet
    • pkg:golang/github.com/go-git/go-git/v5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T15:43:15.232143-03:00

CVE-2025-21613

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:
    • fleet
    • pkg:golang/github.com/go-git/go-git/v5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T15:42:55.967763-03:00

CVE-2024-8260

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: Fleet doesn't run on Windows, so it's not affected by this vulnerability.
  • Products:
    • fleet
    • pkg:golang/github.com/open-policy-agent/opa
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-05-05T20:54:14.90724-03:00

CVE-2024-12797

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleet uses Go TLS implementation
  • Products:
    • fleet
    • pkg:apk/alpine/libcrypto3
    • pkg:apk/alpine/libssl3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T15:15:53.847365-03:00

CVE-2023-32698

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
  • Products:
    • fleet
    • pkg:golang/github.com/goreleaser/nfpm/v2
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T15:28:30.406734-03:00

fleetdm/fleetctl docker image

CVE-2025-46569

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use OPA.
  • Products:
    • fleetctl
    • pkg:golang/github.com/open-policy-agent/opa
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-05-06T07:47:31.187848-03:00

CVE-2025-31115

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use liblzma5
  • Products:
    • fleetctl
    • pkg:deb/debian/liblzma5
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-09T13:24:20.950928-03:00

CVE-2024-7254

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java
  • Products:
    • fleetctl
    • pkg:maven/com.google.protobuf/protobuf-java
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T07:34:26.535559-03:00

CVE-2023-6879

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use libaom3
  • Products:
    • fleetctl
    • pkg:deb/debian/libaom3
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15T10:28:21.796437-03:00

CVE-2023-45853

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use zlib C library
  • Products:
    • fleetctl
    • pkg:deb/debian/zlib1g
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15T10:17:19.625099-03:00

CVE-2023-32698

  • Author: @getvictor
  • Status: not_affected
  • Status notes: When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
  • Products:
    • fleetctl
    • pkg:golang/github.com/goreleaser/nfpm/v2
  • Justification: vulnerable_code_cannot_be_controlled_by_adversary
  • Timestamp: 2025-04-09T10:26:02.350338-03:00

CVE-2019-10202

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java
  • Products:
    • fleetctl
    • pkg:maven/org.codehaus.jackson/jackson-mapper-asl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-15T10:31:31.924953-03:00

CVE-2013-4002

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java
  • Products:
    • fleetctl
    • pkg:maven/xerces/xercesImpl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T07:36:31.1157-03:00

CVE-2012-0881

  • Author: @lucasmrod
  • Status: not_affected
  • Status notes: fleetctl does not use Java
  • Products:
    • fleetctl
    • pkg:maven/xerces/xercesImpl
  • Justification: vulnerable_code_not_in_execute_path
  • Timestamp: 2025-04-10T14:46:52.709835-03:00