CVE-2024-35192

Name of the Vulnerable Software and Affected Versions Trivy versions prior to 0.51.2

Description A malicious actor can trigger Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. The leakage only occurs when Trivy is able to obtain registry credentials from the default credential provider chain. This issue applies when scanning container images directly from a registry.

Recommendations For Trivy versions prior to 0.51.2, upgrade to version 0.51.2 or later to resolve the issue. As a temporary workaround, consider using the --image-src flag to select which sources you trust, and ensure you only scan images from trusted registries. Restrict access to the vulnerable functionality by using Docker, containerd, or other runtime to pull images locally and scan them with Trivy, instead of scanning directly from a registry.