CVE-2024-3154 found with latest version

[nvuillam]

What happened:

CVE found by trivy

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2024-3154 │ HIGH     │ fixed  │ v1.1.12           │ 1.2.0-rc.1    │ cri-o: Arbitrary command injection via pod annotation │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3154             │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

What you expected to happen:

No CVE found :)

How to reproduce it (as minimally and precisely as possible):

See MegaLinter build job: https://github.com/oxsecurity/megalinter/actions/runs/8862893746/job/24336363970?pr=3518

Dockerfile uses the following: RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Anything else we need to know?:

Environment:

• Output of grype version: latest
• OS (e.g: cat /etc/os-release or similar): alpine linux

[kzantow]

Note: Grype also finds this CVE :) We'll definitely get this updated once the new version is released.

[nvuillam]

@kzantow many thanks for your reactivity :)