charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon CheckPointSW

Upgrade stdlib:go in images to remediate vulnerability to CVE-2025-22871

Open urfin78 opened this issue 8 months ago • 2 comments

Currently the Cloudguard Image scanner detects its own images with stdlib:go 1.23.5 as vulnerable to CVE-2025-22871:

quay.io/checkpoint/consec-imagescan-daemon:2.40 quay.io/checkpoint/consec-imagescan-engine:2.40 quay.io/checkpoint/consec-imagescan-shim:2.40

Please update the images with a fixed version.

Regards, Thomas

urfin78 avatar Jun 02 '25 13:06 urfin78

Hi @urfin78 , Thanks for reporting this. I see both CVE-2025-22871 and CVE-2025-22866 were checked in the past and found not relevant (and thus not exploitable) for these agents. Apparently this version 2.40 was missed for the exclusions, we will handle it.

Thanks, Igor

chkp-rigor avatar Jun 03 '25 13:06 chkp-rigor

Hi @urfin78, I can update that these 2 CVEs were handled for Image Assurance agents 2.40. I assume you saw these Findings for K8s images in your clusters. Since we re-scan images once a week it may take up to a week till you see this being updated. You can also trigger re-scan manually for each image via CloudGuard portal. Regards, Igor

chkp-rigor avatar Jun 12 '25 09:06 chkp-rigor