Critical vulnerability in trivy-operator:0.22.0 image (CVE-2024-41110)

[baksetercx]

What steps did you take and what happened:

1. docker pull ghcr.io/aquasecurity/trivy-operator:0.22.0

2. trivy image ghcr.io/aquasecurity/trivy-operator:0.22.0 --severity CRITICAL

Produces:

2024-08-08T16:34:31.593+0200	INFO	Vulnerability scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	Secret scanning is enabled
2024-08-08T16:34:31.593+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-08T16:34:31.593+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-08-08T16:34:31.683+0200	INFO	Detected OS: alpine
2024-08-08T16:34:31.683+0200	INFO	This OS version is not on the EOL list: alpine 3.19
2024-08-08T16:34:31.683+0200	INFO	Detecting Alpine vulnerabilities...
2024-08-08T16:34:31.684+0200	INFO	Number of language-specific files: 1
2024-08-08T16:34:31.684+0200	INFO	Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/trivy-operator:0.22.0 (alpine 3.19.1)
==========================================================
Total: 0 (CRITICAL: 0)


usr/local/bin/trivy-operator (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌──────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │  Installed Version   │          Fixed Version          │                   Title                    │
├──────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2024-41110 │ CRITICAL │ fixed  │ v26.1.3+incompatible │ 23.0.14, 26.1.4, 27.1.0, 25.0.6 │ moby: Authz zero length regression         │
│                          │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110 │
└──────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴────────────────────────────────────────────┘

What did you expect to happen:

No critical vulnerabilities.

Anything else you would like to add:

The same vulnerability is also reported by Trivy Operator running in Kubernetes, not just locally using the Trivy CLI.

Environment:

• Trivy-Operator version (use trivy-operator version): v0.22.0
• Kubernetes version (use kubectl version): v1.28.9
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Debian testing

[Hacks4Snacks]

PR to uplift the docker library (and grpc) - I'm surprised Dependabot didn't raise a PR.

[github-actions]

This issue is stale because it has been labeled with inactivity.

[baksetercx]

Any update on this?