CVE-2024-41110 critical on kaniko v1.23.2

[LionnelC]

Actual behavior

kaniko v1.23.2 suffer CVE-2024-41110

kaniko/docker-credential-gcr (gobinary)

Total: 1 (CRITICAL: 1)
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed │ v27.0.3+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

kaniko/executor (gobinary)

Total: 1 (CRITICAL: 1)
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed │ v27.0.3+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

kaniko/warmer (gobinary)
Total: 1 (CRITICAL: 1)
┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed │ v27.0.3+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

Expected behavior

Not applicable

To Reproduce

Trivy scan (detect using 0.54.1)

Additional Information

Not required

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[Kritnich]

This just popped up during a security scan for me as well, but if I understand correctly, kaniko should not be affected by this vulnerability.

[itaysk]

kaniko should not be affected by this vulnerability

Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub
Feel free to reach me or the Trivy team if you have any issues/feedback.