CVEs reported against release v0.8.5 #342
Description
Recent scanning of the v0.8.5 release image highlighted the following CVEs.
process-exporter ±|tag-v0.8.5|→ docker build -t process-exporter:v0.8.5 .
process-exporter ±|tag-v0.8.5|→ trivy image process-exporter:v0.8.5
2025-04-02T12:38:19+01:00 INFO [vuln] Vulnerability scanning is enabled
2025-04-02T12:38:19+01:00 INFO [secret] Secret scanning is enabled
2025-04-02T12:38:19+01:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-02T12:38:19+01:00 INFO [secret] Please see also https://trivy.dev/v0.61/docs/scanner/secret#recommendation for faster secret detection
2025-04-02T12:38:19+01:00 INFO Number of language-specific files num=1
2025-04-02T12:38:19+01:00 INFO [gobinary] Detecting vulnerabilities...
2025-04-02T12:38:19+01:00 WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.
Report Summary
┌──────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────┼──────────┼─────────────────┼─────────┤
│ bin/process-exporter │ gobinary │ 4 │ - │
└──────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
bin/process-exporter (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ fixed │ v0.33.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
├──────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-45336 │ │ │ v1.23.1 │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘