Home > Vulnerability Database > CVE-2024-35192

Mend.io Vulnerability Database

CVE-2024-35192

Good to know:

Date: May 20, 2024

Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.

Language: Go

Severity Score

5.5

Related Resources (5)

Url: https://github.com/aquasecurity/trivy

Url: https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-35192

Url: https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87

Url: https://www.mend.io/vulnerability-database/CVE-2024-35192

Severity Score

5.5

Weakness Type (CWE)

Insufficiently Protected Credentials

CWE-522

Top Fix

Upgrade Version

Upgrade to version github.com/aquasecurity/trivy - v0.51.2

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-35192

Good to know:

Date: May 20, 2024

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?