CVE-2024-24790

[MoeBensu]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

v2.40.0

Storage Type

Kubernetes

Installation Type

Official container image

Expected Behavior

Vulnerability-free docker image

Actual Behavior

CVE-2024-24790 has been published against the go stdlib net/netip and is found by trivy in docker image v2.40:

Steps To Reproduce

trivy image --ignore-unfixed --exit-code 1 --severity CRITICAL ghcr.io/dexidp/dex:v2.40.0

Additional Information

No response

Configuration

No response

Logs

No response

[nabokihms]

Thanks, we will fix this in the upcoming release

[MoeBensu]

@nabokihms Thanks! Is it already known when the upcoming release will come out?

[nabokihms]

It is scheduled for next week

[MoeBensu]

@nabokihms Thank you for the fixes that were merged today into master (#3637).

According to trivy, the CVE-2024-24790 existed previously in v2.40.0-latest at

• usr/local/bin/dex (gobinary)
• usr/local/bin/docker-entrypoint (gobinary)
• usr/local/bin/gomplate (gobinary)

After #3637, it got fixed, but remains existing at usr/local/bin/gomplate (gobinary)

Edit: I tried it locally to build the image with Bump gomplate 4.0.0 and it passes trivy. However, for some setup issues, I can not run tests locally. I can prepare a pull request for you and you can then test it more, if this gomplate bump 4.0.0 would be compatible or not.