# Grype vulnerability suppression configuration # Automatically loaded by Grype for vulnerability scanning # Review and update when upstream fixes are available # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore ignore: # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade # Severity: HIGH (CVSS 7.5) # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk) # Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18 # # Vulnerability Details: # - When DEFAULT is in the TLS 1.3 group configuration, the OpenSSL server may select # a weaker key exchange group than preferred, enabling a limited key exchange downgrade. # - Only affects systems acting as a raw TLS 1.3 server using OpenSSL's server-side group negotiation. # # Root Cause (No Fix Available): # - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23. # - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18. # - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image # and remove this suppression. # # Risk Assessment: ACCEPTED (No upstream fix; limited exposure in Charon context) # - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server. # - The vulnerability requires the affected application to directly configure TLS 1.3 server # group negotiation via OpenSSL, which Charon does not do. # - Container-level isolation reduces the attack surface further. # # Mitigation (active while suppression is in effect): # - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-2673 # - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image. # # Review: # - Reviewed 2026-03-18 (initial suppression): no upstream fix available. Set 30-day review. # - Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. No upstream fix available. # - Next review: 2026-05-18. Remove suppression immediately once upstream fixes. # # Removal Criteria: # - Alpine publishes a patched version of libcrypto3 and libssl3 # - Rebuild Docker image and verify CVE-2026-2673 no longer appears in grype-results.json # - Remove both these entries and the corresponding .trivyignore entry simultaneously # # References: # - CVE-2026-2673: https://nvd.nist.gov/vuln/detail/CVE-2026-2673 # - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 - vulnerability: CVE-2026-2673 package: name: libcrypto3 version: "3.5.5-r0" type: apk reason: | HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libcrypto3 3.5.5-r0 (Alpine base image). No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-03-18. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. Risk accepted pending Alpine upstream patch. expiry: "2026-05-18" # Extended 2026-04-04: Alpine 3.23 still ships 3.5.5-r0. Next review 2026-05-18. # Action items when this suppression expires: # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-2673 # 2. If a patched Alpine package is now available: # a. Rebuild Docker image without suppression # b. Run local security-scan-docker-image and confirm CVE is resolved # c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry # 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above # 4. If extended 3+ times: Open an issue to track the upstream status formally # CVE-2026-2673 (libssl3) — see full justification in the libcrypto3 entry above - vulnerability: CVE-2026-2673 package: name: libssl3 version: "3.5.5-r0" type: apk reason: | HIGH — OpenSSL TLS 1.3 server key exchange group downgrade in libssl3 3.5.5-r0 (Alpine base image). No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-03-18. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS 1.3 server. Risk accepted pending Alpine upstream patch. expiry: "2026-05-18" # Extended 2026-04-04: see libcrypto3 entry above for action items. # CVE-2026-31790: OpenSSL vulnerability in Alpine base image packages # Severity: HIGH # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk) # Status: No upstream fix available — Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09 # # Root Cause (No Fix Available): # - Alpine upstream has not published a patched libcrypto3/libssl3 for Alpine 3.23. # - Checked: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-04-09. # - Fix path: once Alpine publishes a patched libcrypto3/libssl3, rebuild the Docker image # and remove this suppression. # # Risk Assessment: ACCEPTED (No upstream fix; documented in SECURITY.md) # - Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS server. # - Container-level isolation reduces the attack surface further. # # Mitigation (active while suppression is in effect): # - Monitor Alpine security advisories: https://security.alpinelinux.org/vuln/CVE-2026-31790 # - Weekly CI security rebuild (security-weekly-rebuild.yml) flags any new CVEs in the full image. # # Review: # - Reviewed 2026-04-09 (initial suppression): no upstream fix available. Set 30-day review. # - Next review: 2026-05-09. Remove suppression immediately once upstream fixes. # # Removal Criteria: # - Alpine publishes a patched version of libcrypto3 and libssl3 # - Rebuild Docker image and verify CVE-2026-31790 no longer appears in grype-results.json # - Remove both these entries and the corresponding .trivyignore entry simultaneously # # References: # - CVE-2026-31790: https://nvd.nist.gov/vuln/detail/CVE-2026-31790 # - Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790 - vulnerability: CVE-2026-31790 package: name: libcrypto3 version: "3.5.5-r0" type: apk reason: | HIGH — OpenSSL vulnerability in libcrypto3 3.5.5-r0 (Alpine base image). No upstream fix: Alpine 3.23 still ships libcrypto3 3.5.5-r0 as of 2026-04-09. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server. Risk accepted pending Alpine upstream patch. Documented in SECURITY.md. expiry: "2026-05-09" # Reviewed 2026-04-09: no upstream fix available. Next review 2026-05-09. # Action items when this suppression expires: # 1. Check Alpine security tracker: https://security.alpinelinux.org/vuln/CVE-2026-31790 # 2. If a patched Alpine package is now available: # a. Rebuild Docker image without suppression # b. Run local security-scan-docker-image and confirm CVE is resolved # c. Remove this suppression entry, the libssl3 entry below, and the .trivyignore entry # 3. If no fix yet: Extend expiry by 14–30 days and update the review comment above # 4. If extended 3+ times: Open an issue to track the upstream status formally # CVE-2026-31790 (libssl3) — see full justification in the libcrypto3 entry above - vulnerability: CVE-2026-31790 package: name: libssl3 version: "3.5.5-r0" type: apk reason: | HIGH — OpenSSL vulnerability in libssl3 3.5.5-r0 (Alpine base image). No upstream fix: Alpine 3.23 still ships libssl3 3.5.5-r0 as of 2026-04-09. Charon terminates TLS at the Caddy layer; the Go backend does not act as a raw TLS server. Risk accepted pending Alpine upstream patch. Documented in SECURITY.md. expiry: "2026-05-09" # Reviewed 2026-04-09: see libcrypto3 entry above for action items. # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability # Severity: HIGH (CVSS 8.1) # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy via smallstep/certificates) # Status: Fix exists in nebula v1.10.3 — smallstep/certificates cannot compile against v1.10+ APIs # # Vulnerability Details: # - ECDSA signature malleability in nebula allows potential authentication bypass via # crafted certificate signatures (CWE-347). # - CVSSv3: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (CVSS 8.1) # # Root Cause (Third-Party Binary + Upstream API Incompatibility): # - Charon does not use nebula directly. The library is compiled into the Caddy binary # via the caddy-security plugin → smallstep/certificates dependency chain. # - Nebula v1.10.3 patches the vulnerability but removes legacy APIs that # smallstep/certificates (through v0.30.2) depends on, causing compile failures. # - Fix path: once smallstep/certificates releases a version compatible with nebula >= v1.10.3, # update the Dockerfile and remove this suppression. # # Risk Assessment: ACCEPTED (No direct use + upstream API incompatibility blocks fix) # - Charon does not use Nebula VPN PKI by default. The vulnerable code path is only # reachable if Nebula-based certificate provisioning is explicitly configured. # - The attack requires network access and a crafted certificate, which is not part of # standard Charon deployment. # # Mitigation (active while suppression is in effect): # - Monitor smallstep/certificates releases: https://github.com/smallstep/certificates/releases # - Monitor nebula releases: https://github.com/slackhq/nebula/releases # - Weekly CI security rebuild flags the moment a compatible upstream ships. # # Review: # - Reviewed 2026-02-19 (initial suppression in .trivyignore): certificates v0.27.5 pins nebula v1.9.x. # - Re-evaluated 2026-04-10: nebula v1.10.3 has the fix but certificates (through v0.30.2) # uses legacy APIs removed in v1.10+. Still blocked. Set 30-day review. # - Next review: 2026-05-10. Remove suppression once certificates ships with nebula >= v1.10.3. # # Removal Criteria: # - smallstep/certificates releases a version compatible with nebula >= v1.10.3 # - Update Dockerfile nebula pin, rebuild, run security-scan-docker-image, confirm resolved # - Remove this entry and the corresponding .trivyignore entry simultaneously # # References: # - GHSA-69x3-g4r3-p962: https://github.com/advisories/GHSA-69x3-g4r3-p962 # - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793 # - Nebula releases: https://github.com/slackhq/nebula/releases # - smallstep/certificates releases: https://github.com/smallstep/certificates/releases - vulnerability: CVE-2026-25793 package: name: github.com/slackhq/nebula version: "v1.9.7" type: go-module reason: | HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy. Fix exists in nebula v1.10.3 but smallstep/certificates (through v0.30.2) uses legacy APIs removed in v1.10+, causing compile failures. Charon does not use Nebula VPN PKI by default. Risk accepted; no remediation until smallstep/certificates ships with nebula >= v1.10.3. Re-evaluated 2026-04-10: still blocked by upstream API incompatibility. expiry: "2026-05-10" # Re-evaluated 2026-04-10: certificates through v0.30.2 incompatible with nebula v1.10+. # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS) # Severity: HIGH (CVSS 7.5) # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) # Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency # NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image. # This suppression is retained as a safety net in case future DB updates re-surface it. # # Vulnerability Details: # - The Delete function fails to validate offsets on malformed JSON input, producing a # negative slice index and a runtime panic — denial of service (CWE-125). # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # # Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec): # - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries. # - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275. # - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2. # - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image # and remove this suppression. # # Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec) # - The DoS vector requires passing malformed JSON to the vulnerable Delete function within # CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon. # - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path). # # Mitigation (active while suppression is in effect): # - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2. # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: # - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review. # - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open. # - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated. # Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained # as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+. # # Removal Criteria: # - CrowdSec releases a version built with buger/jsonparser >= v1.1.2 # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved # - Remove this entry and the corresponding .trivyignore entry simultaneously # # References: # - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x # - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2 # - golang/vulndb: https://github.com/golang/vulndb/issues/4514 # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases - vulnerability: GHSA-6g7g-w4f8-9c9x package: name: github.com/buger/jsonparser version: "v1.1.1" type: go-module reason: | HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries. Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as safety net pending CrowdSec update. Charon does not use this package directly. Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update. expiry: "2026-05-19" # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2. # Action items when this suppression expires: # 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2: # https://github.com/crowdsecurity/crowdsec/releases # 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image, # and remove this suppression entry and the corresponding .trivyignore entry # 3. If grype still does not flag it with fresh DB: consider removing the suppression as # it may no longer be necessary # 4. If no CrowdSec update yet: Extend expiry by 30 days # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS) # Severity: HIGH (CVSS 7.5) # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5 # # Vulnerability Details: # - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server # can send a negative field length causing a slice-bounds panic — denial of service (CWE-129). # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # # Root Cause (EOL Module + Third-Party Binary): # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package # is compiled into CrowdSec binaries for their internal database communication. # - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path # is migration to pgx/v5, which embeds an updated pgproto3/v3. # - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild # the Docker image and remove this suppression. # # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path) # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite # internally and does not run PostgreSQL. CrowdSec's database path is not exposed to # external traffic in a standard Charon deployment. # - The attack requires a compromised database server, which would imply full host compromise. # # Mitigation (active while suppression is in effect): # - Monitor CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: # - Reviewed 2026-03-19 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist. # Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet. # - Next review: 2026-05-19. Remove suppression once CrowdSec ships with pgx/v5. # # Removal Criteria: # - CrowdSec releases a version with pgx/v5 (pgproto3/v3) replacing pgproto3/v2 # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved # - Remove this entry and the corresponding .trivyignore entry simultaneously # # References: # - GHSA-jqcq-xjh3-6g23: https://github.com/advisories/GHSA-jqcq-xjh3-6g23 # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3 # - pgx/v5 (replacement): https://github.com/jackc/pgx # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases - vulnerability: GHSA-jqcq-xjh3-6g23 package: name: github.com/jackc/pgproto3/v2 version: "v2.3.3" type: go-module reason: | HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries. pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5. Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment. Risk accepted; no remediation until CrowdSec ships with pgx/v5. Reviewed 2026-03-19: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet. expiry: "2026-05-19" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5. # Action items when this suppression expires: # 1. Check CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3` # Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced) # 3. If CrowdSec has migrated: # a. Rebuild Docker image and run local security-scan-docker-image # b. Remove this suppression entry and the corresponding .trivyignore entry # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration # GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS) # Severity: HIGH (CVSS 7.5) # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5 # Note: This is the NVD/Red Hat advisory alias for the same underlying vulnerability as GHSA-jqcq-xjh3-6g23 # # Vulnerability Details: # - DataRow.Decode does not validate field lengths; a malicious or compromised PostgreSQL server # can send a negative field length causing a slice-bounds panic — denial of service (CWE-129). # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5) # # Root Cause (EOL Module + Third-Party Binary): # - Same underlying vulnerability as GHSA-jqcq-xjh3-6g23; tracked separately by NVD/Red Hat as CVE-2026-4427. # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package # is compiled into CrowdSec binaries for their internal database communication. # - The pgproto3/v2 module is archived and EOL; no fix will be released. The fix path # is migration to pgx/v5, which embeds an updated pgproto3/v3. # - Fix path: once CrowdSec migrates to pgx/v5 and releases an updated binary, rebuild # the Docker image and remove this suppression. # # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path) # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite # internally and does not run PostgreSQL. CrowdSec's database path is not exposed to # external traffic in a standard Charon deployment. # - The attack requires a compromised database server, which would imply full host compromise. # # Mitigation (active while suppression is in effect): # - Monitor CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: # - Reviewed 2026-03-21 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist. # Waiting on CrowdSec to migrate to pgx/v5. Set 30-day review. Sibling GHSA-jqcq-xjh3-6g23 # was already suppressed; this alias surfaced as a separate Grype match via NVD/Red Hat tracking. # - Extended 2026-04-04: CrowdSec has not migrated to pgx/v5 yet. # - Next review: 2026-05-21. Remove suppression once CrowdSec ships with pgx/v5. # # Removal Criteria: # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2 # - Rebuild Docker image, run security-scan-docker-image, confirm both advisories are resolved # - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries simultaneously # # References: # - GHSA-x6gf-mpr2-68h6: https://github.com/advisories/GHSA-x6gf-mpr2-68h6 # - CVE-2026-4427: https://nvd.nist.gov/vuln/detail/CVE-2026-4427 # - Red Hat: https://access.redhat.com/security/cve/CVE-2026-4427 # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3 # - pgx/v5 (replacement): https://github.com/jackc/pgx # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases - vulnerability: GHSA-x6gf-mpr2-68h6 package: name: github.com/jackc/pgproto3/v2 version: "v2.3.3" type: go-module reason: | HIGH — DoS panic via negative field length in pgproto3/v2 v2.3.3 embedded in CrowdSec binaries. NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23. pgproto3/v2 is archived/EOL with no fix planned; fix path requires CrowdSec to migrate to pgx/v5. Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment. Risk accepted; no remediation until CrowdSec ships with pgx/v5. Reviewed 2026-03-21: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet. expiry: "2026-05-21" # Extended 2026-04-04: no fix path until CrowdSec migrates to pgx/v5. # Action items when this suppression expires: # 1. Check CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3` # Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced) # 3. If CrowdSec has migrated: # a. Rebuild Docker image and run local security-scan-docker-image # b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, and both .trivyignore entries # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration # CVE-2026-32286: pgproto3/v2 buffer overflow in DataRow handling (DoS) # Severity: HIGH (CVSS 7.5) # Package: github.com/jackc/pgproto3/v2 v2.3.3 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) # Status: NO fix in pgproto3/v2 (archived/EOL) — fix path requires CrowdSec to migrate to pgx/v5 # # Vulnerability Details: # - Buffer overflow in pgproto3/v2 DataRow handling allows a malicious or compromised PostgreSQL # server to trigger a denial of service via crafted protocol messages (CWE-120). # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS 7.5) # # Root Cause (EOL Module + Third-Party Binary): # - Same affected module as GHSA-jqcq-xjh3-6g23 and GHSA-x6gf-mpr2-68h6 — pgproto3/v2 v2.3.3 # is the final release (repository archived Jul 12, 2025). No fix will be released. # - Charon does not use pgproto3/v2 directly nor communicate with PostgreSQL. The package # is compiled into CrowdSec binaries for their internal database communication. # - Fix exists only in pgproto3/v3 (used by pgx/v5). CrowdSec v1.7.7 (latest) still depends # on pgx/v4 → pgproto3/v2. Dockerfile already applies best-effort mitigation (pgx/v4@v4.18.3). # - Fix path: once CrowdSec migrates to pgx/v5, rebuild the Docker image and remove this suppression. # # Risk Assessment: ACCEPTED (Non-exploitable in Charon context + no upstream fix path) # - The vulnerability requires a malicious PostgreSQL server response. Charon uses SQLite # internally and does not run PostgreSQL. CrowdSec's database path is not exposed to # external traffic in a standard Charon deployment. # - CrowdSec's PostgreSQL code path is not directly exposed to untrusted network input in # Charon's deployment. # # Mitigation (active while suppression is in effect): # - Monitor CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: # - Reviewed 2026-04-10 (initial suppression): pgproto3/v2 is EOL; no fix exists or will exist. # Waiting on CrowdSec to migrate to pgx/v5. Set 90-day review. # - Next review: 2026-07-09. Remove suppression once CrowdSec ships with pgx/v5. # # Removal Criteria: # - Same as GHSA-jqcq-xjh3-6g23: CrowdSec releases a version with pgx/v5 replacing pgproto3/v2 # - Rebuild Docker image, run security-scan-docker-image, confirm all pgproto3/v2 advisories are resolved # - Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries simultaneously # # References: # - CVE-2026-32286: https://nvd.nist.gov/vuln/detail/CVE-2026-32286 # - pgproto3/v2 archive notice: https://github.com/jackc/pgproto3 # - pgx/v5 (replacement): https://github.com/jackc/pgx # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases - vulnerability: CVE-2026-32286 package: name: github.com/jackc/pgproto3/v2 version: "v2.3.3" type: go-module reason: | HIGH — Buffer overflow in pgproto3/v2 v2.3.3 DataRow handling, embedded in CrowdSec binaries. pgproto3/v2 v2.3.3 is the final release (archived Jul 2025); no fix will be released. Fix exists only in pgproto3/v3 (pgx/v5). CrowdSec v1.7.7 still depends on pgx/v4 → pgproto3/v2. Charon uses SQLite, not PostgreSQL; this code path is not reachable in a standard deployment. Risk accepted; no remediation until CrowdSec ships with pgx/v5. Reviewed 2026-04-10: pgproto3/v2 EOL confirmed; CrowdSec has not migrated to pgx/v5 yet. expiry: "2026-07-09" # Reviewed 2026-04-10: no fix path until CrowdSec migrates to pgx/v5. 90-day expiry. # Action items when this suppression expires: # 1. Check CrowdSec releases for pgx/v5 migration: # https://github.com/crowdsecurity/crowdsec/releases # 2. Verify with: `go version -m /path/to/crowdsec | grep pgproto3` # Expected: pgproto3/v3 (or no pgproto3 reference if fully replaced) # 3. If CrowdSec has migrated: # a. Rebuild Docker image and run local security-scan-docker-image # b. Remove this entry, GHSA-jqcq-xjh3-6g23 entry, GHSA-x6gf-mpr2-68h6 entry, and all .trivyignore entries # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration # GHSA-x744-4wpc-v9h2 / CVE-2026-34040: Docker AuthZ plugin bypass via oversized request body # Severity: HIGH (CVSS 8.8) # CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H # CWE: CWE-863 (Incorrect Authorization) # Package: github.com/docker/docker v28.5.2+incompatible (go-module) # Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path # # Vulnerability Details: # - Incomplete fix for Docker AuthZ plugin bypass (CVE-2024-41110). An attacker can send an # oversized request body to the Docker daemon, causing it to forward the request to the AuthZ # plugin without the body, allowing unauthorized approvals. # # Root Cause (No Fix Available for Import Path): # - The fix exists in moby/moby v29.3.1, but not for the docker/docker import path that Charon uses. # - Migration to moby/moby/v2 is not practical: currently beta with breaking changes. # - Fix path: once docker/docker publishes a patched version or moby/moby/v2 stabilizes, # update the dependency and remove this suppression. # # Risk Assessment: ACCEPTED (Not exploitable in Charon context) # - Charon uses the Docker client SDK only (list containers). The vulnerability is server-side # in the Docker daemon's AuthZ plugin handler. # - Charon does not run a Docker daemon or use AuthZ plugins. # - The attack vector requires local access to the Docker daemon socket with AuthZ plugins enabled. # # Mitigation (active while suppression is in effect): # - Monitor docker/docker releases: https://github.com/moby/moby/releases # - Monitor moby/moby/v2 stabilization: https://github.com/moby/moby # - Weekly CI security rebuild flags the moment a fixed version ships. # # Review: # - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review. # - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path. # # Removal Criteria: # - docker/docker publishes a patched version OR moby/moby/v2 stabilizes and migration is feasible # - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved # - Remove this entry, the GHSA-pxq6-2prw-chj9 entry, and the corresponding .trivyignore entries simultaneously # # References: # - GHSA-x744-4wpc-v9h2: https://github.com/advisories/GHSA-x744-4wpc-v9h2 # - CVE-2026-34040: https://nvd.nist.gov/vuln/detail/CVE-2026-34040 # - CVE-2024-41110 (original): https://nvd.nist.gov/vuln/detail/CVE-2024-41110 # - moby/moby releases: https://github.com/moby/moby/releases - vulnerability: GHSA-x744-4wpc-v9h2 package: name: github.com/docker/docker version: "v28.5.2+incompatible" type: go-module reason: | HIGH — Docker AuthZ plugin bypass via oversized request body in docker/docker v28.5.2+incompatible. Incomplete fix for CVE-2024-41110. Fixed in moby/moby v29.3.1 but no fix for docker/docker import path. Charon uses Docker client SDK only (list containers); the vulnerability is server-side in the Docker daemon's AuthZ plugin handler. Charon does not run a Docker daemon or use AuthZ plugins. Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes. Reviewed 2026-03-30: no patched release available for docker/docker import path. expiry: "2026-04-30" # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification. # Action items when this suppression expires: # 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases # 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby # 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable: # a. Update the dependency and rebuild Docker image # b. Run local security-scan-docker-image and confirm finding is resolved # c. Remove this entry, GHSA-pxq6-2prw-chj9 entry, and all corresponding .trivyignore entries # 4. If no fix yet: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility # GHSA-pxq6-2prw-chj9 / CVE-2026-33997: Moby off-by-one error in plugin privilege validation # Severity: MEDIUM (CVSS 6.8) # Package: github.com/docker/docker v28.5.2+incompatible (go-module) # Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path # # Vulnerability Details: # - Off-by-one error in Moby's plugin privilege validation allows potential privilege escalation # via crafted plugin configurations. # # Root Cause (No Fix Available for Import Path): # - Same import path issue as GHSA-x744-4wpc-v9h2. The fix exists in moby/moby v29.3.1 but not # for the docker/docker import path that Charon uses. # - Fix path: same as GHSA-x744-4wpc-v9h2 — wait for docker/docker patch or moby/moby/v2 stabilization. # # Risk Assessment: ACCEPTED (Not exploitable in Charon context) # - Charon uses the Docker client SDK only (list containers). The vulnerability is in Docker's # plugin privilege validation, which is server-side functionality. # - Charon does not run a Docker daemon, install Docker plugins, or interact with plugin privileges. # # Mitigation (active while suppression is in effect): # - Monitor docker/docker releases: https://github.com/moby/moby/releases # - Weekly CI security rebuild flags the moment a fixed version ships. # # Review: # - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review. # - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path. # # Removal Criteria: # - Same as GHSA-x744-4wpc-v9h2: docker/docker publishes a patched version OR moby/moby/v2 stabilizes # - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved # - Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries simultaneously # # References: # - GHSA-pxq6-2prw-chj9: https://github.com/advisories/GHSA-pxq6-2prw-chj9 # - CVE-2026-33997: https://nvd.nist.gov/vuln/detail/CVE-2026-33997 # - moby/moby releases: https://github.com/moby/moby/releases - vulnerability: GHSA-pxq6-2prw-chj9 package: name: github.com/docker/docker version: "v28.5.2+incompatible" type: go-module reason: | MEDIUM — Off-by-one error in Moby plugin privilege validation in docker/docker v28.5.2+incompatible. Fixed in moby/moby v29.3.1 but no fix for docker/docker import path. Charon uses Docker client SDK only (list containers); the vulnerability is in Docker's server-side plugin privilege validation. Charon does not run a Docker daemon or install Docker plugins. Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes. Reviewed 2026-03-30: no patched release available for docker/docker import path. expiry: "2026-04-30" # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification. # Action items when this suppression expires: # 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases # 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby # 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable: # a. Update the dependency and rebuild Docker image # b. Run local security-scan-docker-image and confirm finding is resolved # c. Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries # 4. If no fix yet: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility # GHSA-78h2-9frx-2jm8: go-jose JWE decryption panic (DoS) # Severity: HIGH # Packages: github.com/go-jose/go-jose/v3 v3.0.4 and github.com/go-jose/go-jose/v4 v4.1.3 # (embedded in /usr/bin/caddy) # Status: Fix available in go-jose/v3 v3.0.5 and go-jose/v4 v4.1.4 — requires upstream Caddy rebuild # # Vulnerability Details: # - JWE decryption can trigger a panic due to improper input validation, causing # a denial-of-service condition (runtime crash). # # Root Cause (Third-Party Binary): # - Charon does not use go-jose directly. The library is compiled into the Caddy binary # shipped in the Docker image. # - Fixes are available upstream (v3.0.5 and v4.1.4) but require a Caddy rebuild to pick up. # - Fix path: once the upstream Caddy release includes the patched go-jose versions, # rebuild the Docker image and remove these suppressions. # # Risk Assessment: ACCEPTED (No direct use + fix requires upstream rebuild) # - Charon does not import or call go-jose functions; the library is only present as a # transitive dependency inside the Caddy binary. # - The attack vector requires crafted JWE input reaching Caddy's internal JWT handling, # which is limited to authenticated admin-API paths not exposed in Charon deployments. # # Mitigation (active while suppression is in effect): # - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: # - Reviewed 2026-04-05 (initial suppression): fix available upstream but not yet in Caddy release. # Set 30-day review. # - Next review: 2026-05-05. Remove suppression once Caddy ships with patched go-jose. # # Removal Criteria: # - Caddy releases a version built with go-jose/v3 >= v3.0.5 and go-jose/v4 >= v4.1.4 # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved # - Remove both entries (v3 and v4) and any corresponding .trivyignore entries simultaneously # # References: # - GHSA-78h2-9frx-2jm8: https://github.com/advisories/GHSA-78h2-9frx-2jm8 # - go-jose releases: https://github.com/go-jose/go-jose/releases # - Caddy releases: https://github.com/caddyserver/caddy/releases - vulnerability: GHSA-78h2-9frx-2jm8 package: name: github.com/go-jose/go-jose/v3 version: "v3.0.4" type: go-module reason: | HIGH — JWE decryption panic in go-jose v3.0.4 embedded in /usr/bin/caddy. Fix available in v3.0.5 but requires upstream Caddy rebuild. Charon does not use go-jose directly. Deferring to next Caddy release. expiry: "2026-05-05" # 30-day review: remove once Caddy ships with go-jose/v3 >= v3.0.5. # Action items when this suppression expires: # 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases # 2. Verify with: `go version -m /usr/bin/caddy | grep go-jose` # Expected: go-jose/v3 >= v3.0.5 # 3. If Caddy has updated: # a. Rebuild Docker image and run local security-scan-docker-image # b. Remove this entry, the v4 entry below, and any corresponding .trivyignore entries # 4. If not yet updated: Extend expiry by 30 days and update the review comment above # 5. If extended 3+ times: Open an upstream issue on caddyserver/caddy requesting go-jose update # GHSA-78h2-9frx-2jm8 (go-jose/v4) — see full justification in the go-jose/v3 entry above - vulnerability: GHSA-78h2-9frx-2jm8 package: name: github.com/go-jose/go-jose/v4 version: "v4.1.3" type: go-module reason: | HIGH — JWE decryption panic in go-jose v4.1.3 embedded in /usr/bin/caddy. Fix available in v4.1.4 but requires upstream Caddy rebuild. Charon does not use go-jose directly. Deferring to next Caddy release. expiry: "2026-05-05" # 30-day review: see go-jose/v3 entry above for action items. # Match exclusions (patterns to ignore during scanning) # Use sparingly - prefer specific CVE suppressions above match: # Exclude test fixtures and example code from vulnerability scanning exclude: - path: "**/test/**" - path: "**/tests/**" - path: "**/testdata/**" - path: "**/examples/**" - path: "**/*_test.go" # Output configuration (optional) # These settings can be overridden via CLI flags output: # Report only HIGH and CRITICAL by default # Medium/Low findings are still logged but don't fail the scan fail-on-severity: high # Check for configuration updates # Grype automatically updates its vulnerability database # Run `grype db update` manually to force an update check-for-app-update: true