Github.Com Anchore Syft vulnerabilities
2 known vulnerabilities affecting github.com/anchore_syft.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2023-24827P3MEDIUM≥ 0.69.0, < 0.70.02023-02-08
CVE-2023-24827 [MEDIUM] CWE-200 Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set
Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set
A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.
### Impact
The `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container
ghsaosv
CVE-2026-33481P4MEDIUM≥ 0, < 1.42.32026-03-20
CVE-2026-33481 [MEDIUM] CWE-460 Syft improper temporary file cleanup
Syft improper temporary file cleanup
### Impact
Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.
This vulnerability would affect users of Syft
ghsaosv