{"id":"GO-2024-2870","summary":"Credential leakage in github.com/aquasecurity/trivy","details":"A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.","aliases":["CVE-2024-35192","GHSA-xcq4-m2r3-cmrj"],"modified":"2026-02-04T04:15:07.344080Z","published":"2024-05-22T16:46:37Z","related":["CGA-8cxc-c6v2-w87x"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2870","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj"},{"type":"FIX","url":"https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87"}],"affected":[{"package":{"name":"github.com/aquasecurity/trivy","ecosystem":"Go","purl":"pkg:golang/github.com/aquasecurity/trivy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.51.2"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/aquasecurity/trivy/pkg/fanal/image/registry/azure"},{"symbols":["ECR.CheckOptions"],"path":"github.com/aquasecurity/trivy/pkg/fanal/image/registry/ecr"},{"symbols":["Registry.CheckOptions"],"path":"github.com/aquasecurity/trivy/pkg/fanal/image/registry/google"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2870.json"}}],"schema_version":"1.7.3","credits":[{"name":"@lyoung-confluent"}]}