Can you explain this vulnerability to me?

This vulnerability in Grype, a container image and filesystem vulnerability scanner, causes registry credentials to be disclosed if they are defined and the output is written using the --file or --output json=<file> option. The credentials are included unsanitized in the output file, potentially exposing sensitive information. This affects versions 0.68.0 through 0.104.0 and has been fixed in version 0.104.1.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If you use affected versions of Grype and output scan results to a file using the --file or --output json option, your registry credentials could be exposed in that output file. This could lead to unauthorized access to your container registries, potentially compromising your container images and related infrastructure.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking the version of Grype installed on your system. Versions from 0.68.0 through 0.104.0 are affected. Use the command `grype version` to determine the installed version. Additionally, inspect any output files generated using the --file or --output json=<file> options for the presence of unsanitized registry credentials.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade Grype to version 0.104.1 or later where the issue is patched. If upgrading is not possible right away, avoid using the --file or --output json=<file> options when running Grype. Instead, redirect the standard output (stdout) to a file to prevent registry credentials from being included unsanitized in output files.

Useful 0 Not Useful 0