CVE-2024-35192 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-35192 PUBLISHED CVSS 5.5 MEDIUM

Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.

EPSS 0.07% · 20.5th percentile

Risk Scores

CVSS v3.1

5.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS Score

0.07%

20.5th percentile

Affected Products

Vendor	Product	Versions
github.com	aquasecurity/trivy	0
aquasecurity	trivy	< 0.51.2

Timeline

Jan 21, 1970 Security Advisory
May 20, 2024 CVE Published
May 21, 2024 EPSS Score
Jun 14, 2024 EPSS Score
Jul 7, 2024 EPSS Score
Jul 30, 2024 EPSS Score
Aug 23, 2024 EPSS Score
Sep 15, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 8, 2024 EPSS Score
Oct 31, 2024 EPSS Score
Nov 23, 2024 EPSS Score

References

Open in Interactive Console →