Copilot v1.34.0 (latest) is vulnerable to critical severity CVE-2024-24790 #6017
Comments
|
The CoPilot Readme says to go here to report security issues (you can look at the readme for more details): Just the messenger here. Not associated with AWS or anything like this. |
|
@bkaws @iamhopaul123 Sorry to tag individuals - hoping to get some visibility from the recent committers. I raised this to the vulnerability reporting email address, but haven't heard back. Could we get a canonical response from AWS on whether we can expect this (upgrading the go version, it seems?) to be within the scope of ongoing copilot-cli maintenance, or are we on our own here? |
|
Hi @jlucas91 thank you for opening this issue and e-mailing the aws-security mailbox. We received your e-mail report and are looking into this. |
Description:
Amazon Inspector (and other automated vulnerability scanning tools) flag AWS Copilot v1.34.0 (latest available release at this time) as being vulnerable to
CRITICALseverity 9.8 CVE-2024-24790.Details:
AWS Copilot generated
buildspec.ymlfiles by default downloads thecopilot-linuxbinary to the current working directory./, which is also the root of the source code / repo for any docker image builds. This means when source code is copied into docker images e.g.COPY . ., unless manually ignored e.g. via.dockerignoreetc, the copilot binary is also copied into all built images that are pushed to ECR.This results in all images built / managed by AWS Copilot are detected by automated scanning tools such as AWS Inspector as being vulnerable to this critical CVE. This prevents an company using AWS Copilot from maintaining SOC 2 compliance, among other things.
Remediation suggestion:
buildspec.ymlfile that does not inadvertently inject binaries into customers docker images, e.g. by simply downloading the binary to a different path on the filesystem instead of into the same directory as the application source code.The text was updated successfully, but these errors were encountered: