Grype Credential Disclosure Vulnerability in JSON Output

A credential disclosure vulnerability exists in Grype, a vulnerability scanner for container images and filesystems, affecting versions 0.68.0 prior to 0.104.0. When registry credentials are set and the output is directed to a file in JSON format, the credentials are included in the output without proper sanitization. This vulnerability does not affect users without registry authentication configured.

Impact

In the affected Grype versions, registry authentication details can be improperly included in the output file of a Grype scan, exposing sensitive credentials. This issue can also arise from a malformed Grype Template that includes unsanitized registry authentication fields.

Reproduction

To reproduce this vulnerability, first ensure that registry authentication credentials are configured either in the Grype configuration file or through environment variables. Then, run Grype with the ' --output json=<file>' option, directing the output to a JSON file. The registry credentials will be leaked in the unsanitized output file. Alternatively, this vulnerability can be reproduced by using a Grype Template that includes 'Descriptor.Registry.Auth' fields, which would also result in leaking the unsanitized registry credentials.

Remediation

Users can update to Grype version 0.104.1, where this vulnerability has been patched. For those unable to update, credentials can be redacted by redirecting standard output to a file, bypassing the use of the '--file' or '--output' options.