Following is the vulnerability report of Fleet and its dependencies.
- Author: @lucasmrod
- Status:
not_affected - Status notes: github.com/docker/docker is only imported in test/upgrade/fleet_test.go and is never compiled into the fleet binary.
- Products:
fleet,pkg:golang/github.com/docker/docker - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-26 15:38:17
- Author: @lucasmrod
- Status:
not_affected - Status notes: github.com/docker/docker is only imported in test/upgrade/fleet_test.go and is never compiled into the fleet binary.
- Products:
fleet,pkg:golang/github.com/docker/docker - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-26 15:38:17
- Author: @lucasmrod
- Status:
not_affected - Status notes: github.com/docker/docker is only imported in test/upgrade/fleet_test.go and is never compiled into the fleet binary.
- Products:
fleet,pkg:golang/github.com/docker/docker - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-26 15:38:17
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet runs on 64-bit. The 64-bit trigger is ~23 trillion elements — that requires petabytes of contiguous memory in a single sort call. It is not reachable from any Fleet code path under any real workload. Also, the only way Fleet would touch musl's qsort is through a cgo dependency (SQLite via fts5, the only meaningful cgo path). Even SQLite's internal qsort calls are nowhere near the trigger threshold.
- Products:
fleet,pkg:apk/alpine/musl,pkg:apk/alpine/musl-utils - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:51:37
- Author: @lucasmrod
- Status:
not_affected - Status notes: Exploiting this vulnerability already requires access to the host running the Fleet server (so its practical exploitability appears overstated by the CVSS score / High rating). Also the vulnerability affects BSD and Solaris platforms (which are not supported).
- Products:
fleet,pkg:golang/go.opentelemetry.io/otel/sdk - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 15:03:59
- Author: @lucasmrod
- Status:
not_affected - Status notes: github.com/docker/docker is only imported in test/upgrade/fleet_test.go and is never compiled into the fleet binary.
- Products:
fleet,pkg:golang/github.com/docker/docker - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-26 15:38:16
- Author: @lucasmrod
- Status:
not_affected - Status notes: The loop variable capture is a real code defect, but its practical exploitability as a signature bypass (without possession of the IdP private key in the first place) appears overstated by the CVSS 7.5 / High rating.
- Products:
fleet,pkg:golang/github.com/russellhaering/goxmldsig - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 15:00:17
- Author: @lucasmrod
- Status:
not_affected - Status notes: There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.
- Products:
fleet,pkg:golang/google.golang.org/grpc - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:38:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.84.2+ when it's available.
- Products:
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 15:37:36
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.84.2+ when it's available.
- Products:
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 15:37:25
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.85.0 when it's available.
- Products:
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 15:37:12
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleet uses Go TLS to connect to servers.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:42:11
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleet uses Go TLS to connect to servers.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:41:44
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleet uses Go TLS to connect to servers.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:41:34
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleet uses Go TLS to connect to servers.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:41:22
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleet uses Go TLS to connect to servers.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:41:09
- Author: @lucasmrod
- Status:
not_affected - Status notes: All url.Parse inputs reachable in Fleet are admin-trusted configuration, not attacker-controlled. Nonetheless, we advise upgrading to v4.84.0 when possible.
- Products:
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 17:05:55
- Author: @lucasmrod
- Status:
not_affected - Status notes: The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.
- Products:
fleet,pkg:apk/alpine/zlib@1.3.1-r2 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:01:11
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet uses Go cryptography packages.
- Products:
fleet,pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-10-01 10:09:03
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet does not mutate CA pool store between TLS sessions.
- Products:
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 13:23:41
- Author: @lucasmrod
- Status:
fixed - Products:
fleet@v4.78.* - Timestamp: 2025-12-10 19:26:25
- Author: @lucasmrod
- Status:
affected - Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- Products:
fleet@v4.77.0,fleet@v4.76.0,fleet@v4.76.1,fleet@v4.75.0,fleet@v4.75.1,pkg:golang/stdlib@1.25.3 - Action statement:
No action statement provided - Timestamp: 2025-12-10 19:26:10
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet does not use OPA in server mode, it uses it as a library.
- Products:
fleet,pkg:golang/github.com/open-policy-agent/opa@v0.44.0,pkg:golang/github.com/open-policy-agent/opa@0.44.0 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-05-05 20:29:07
- Author: @lucasmrod
- Status:
not_affected - Status notes: The token format being validated before the call to ParseUnverified.
- Products:
fleet,pkg:golang/github.com/golang-jwt/jwt/v4 - Justification:
inline_mitigations_already_exist - Timestamp: 2025-04-10 15:23:54
- Author: @lucasmrod
- Status:
fixed - Products:
pkg:golang/github.com/fleetdm/fleet/v4,cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:* - Timestamp: 2025-05-12 16:30:30
- Author: @lucasmrod
- Status:
affected - Products:
cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:* - Action statement:
Disable SAML SSO authentication. - Timestamp: 2025-05-12 16:13:23
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet does not perform any EUC-KR to UTF-8 translation by libc.
- Products:
fleet,pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-14 16:30:01
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
- Products:
fleet,pkg:golang/stdlib@1.24.2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-23 16:48:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products:
fleet,pkg:golang/github.com/go-git/go-git/v5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:43:15
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products:
fleet,pkg:golang/github.com/go-git/go-git/v5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:42:55
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet doesn't run on Windows, so it's not affected by this vulnerability.
- Products:
fleet,pkg:golang/github.com/open-policy-agent/opa - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-05-05 20:54:14
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go TLS implementation.
- Products:
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products:
fleet,pkg:golang/github.com/goreleaser/nfpm/v2 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:28:30
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability only affects Java/JVM web applications that use Jackson's asynchronous (non-blocking) JSON parser.
- Products:
fleetctl,pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:30:33
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not validate any XML signatures.
- Products:
fleetctl,pkg:golang/github.com/russellhaering/goxmldsig - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-23 16:44:57
- Author: @lucasmrod
- Status:
not_affected - Status notes: perl is not used during fleetd package generation.
- Products:
fleetctl,pkg:deb/debian/perl-base - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-06-01 10:34:06
- Author: @lucasmrod
- Status:
not_affected - Status notes: libssh2 is not used in fleetdm/fleetctl; go binary runs as entrypoint and does not use libssh2.
- Products:
fleetctl,pkg:deb/debian/libssh2-1t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:35:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: CVE-2026-42504 (GO-2026-5038) is a quadratic-complexity DoS in the Go stdlib mime package's WordDecoder.DecodeHeader (RFC 2047 encoded-word decoding), which is reached when parsing email headers (e.g. via net/mail). fleetctl does not parse email or otherwise decode RFC 2047 headers. govulncheck on ./cmd/fleetctl/... confirms the mime package is only linked transitively (via net/http) and the vulnerable symbol mime.WordDecoder.DecodeHeader is never called (finding stops at the package-import level, no call trace). Trivy flags it solely because the binary embeds the go1.26.3 toolchain. The fix lands in fleetctl 4.87.0, which will be built with Go 1.26.4; upgrading is recommended as routine hygiene.
- Products:
fleetctl,pkg:golang/stdlib - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-06-09 12:57:06
- Author: @lucasmrod
- Status:
not_affected - Status notes: perl is not used during fleetd package generation.
- Products:
fleetctl,pkg:deb/debian/perl-base - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-06-01 10:34:06
- Author: @lucasmrod
- Status:
not_affected - Status notes: gnutls is not used in fleetdm/fleetctl (go binary uses Go's TLS).
- Products:
fleetctl,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:35:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl functionality does not make use of ffmpeg.
- Products:
fleetctl,pkg:deb/debian/libavcodec61,pkg:deb/debian/libavformat61,pkg:deb/debian/libavutil59,pkg:deb/debian/libswresample5 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-04-27 17:38:09
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
- Products:
fleetctl,pkg:deb/debian/libmbedcrypto16 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-08 12:06:49
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
- Products:
fleetctl,pkg:deb/debian/libmbedcrypto16 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-08 12:06:46
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl functionality does not make use of gnutls.
- Products:
fleetctl,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-05-07 12:01:42
- Author: @lucasmrod
- Status:
affected - Products:
fleetctl@v4.84.0,pkg:golang/stdlib@1.26.1 - Action statement:
Low probability of exploit: requires the fleetctl admin to (1) trust a private/enterprise CA that uses excluded DNS name constraints, (2) an attacker able to obtain a cert under that CA with a wildcard SAN whose case differs from the excluded constraint, and (3) a MITM or DNS-hijack position between the admin's workstation and the Fleet server. If all conditions are met, the attacker can impersonate the Fleet server over TLS and capture the admin's API token. The Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available. - Timestamp: 2026-04-20 14:07:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: Possible vulnerability in SSO service providers, not in fleetctl command line tool.
- Products:
fleetctl,pkg:golang/github.com/russellhaering/goxmldsig - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-31 09:54:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- Products:
fleetctl,pkg:golang/google.golang.org/grpc - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-23 19:20:41
- Author: @lucasmrod
- Status:
affected - Products:
fleetctl@v4.83.2,fleetctl@v4.83.1,fleetctl@v4.83.0,fleetctl@v4.82.2,fleetctl@v4.82.1,fleetctl@v4.82.0,fleetctl@v4.81.3,fleetctl@v4.81.2,fleetctl@v4.81.1,fleetctl@v4.81.0,fleetctl@v4.80.3,fleetctl@v4.80.2,fleetctl@v4.80.1,fleetctl@v4.80.0,fleetctl@v4.79.1,fleetctl@v4.79.0,fleetctl@v4.78.3,fleetctl@v4.78.2,fleetctl@v4.78.1,fleetctl@v4.78.0,fleetctl@v4.77.1,fleetctl@v4.77.0,fleetctl@v4.76.2,fleetctl@v4.76.1,fleetctl@v4.76.0,fleetctl@v4.75.2,fleetctl@v4.75.1,fleetctl@v4.75.0,fleetctl@v4.74.0,fleetctl@v4.73.5,fleetctl@v4.73.4,fleetctl@v4.73.3,fleetctl@v4.73.2,fleetctl@v4.73.1,fleetctl@v4.73.0,fleetctl@v4.72.1,fleetctl@v4.72.0,fleetctl@v4.71.1,fleetctl@v4.71.0,fleetctl@v4.70.1,fleetctl@v4.70.0,fleetctl@v4.69.0,fleetctl@v4.68.1,fleetctl@v4.68.0,fleetctl@v4.67.3,fleetctl@v4.67.2,fleetctl@v4.67.1,fleetctl@v4.67.0,fleetctl@v4.66.0,fleetctl@v4.65.0,fleetctl@v4.64.2,fleetctl@v4.64.1,fleetctl@v4.64.0,fleetctl@v4.63.2,fleetctl@v4.63.1,fleetctl@v4.63.0,fleetctl@v4.62.4,fleetctl@v4.62.3,fleetctl@v4.62.2,fleetctl@v4.62.1,fleetctl@v4.62.0,fleetctl@v4.61.0,fleetctl@v4.60.1,fleetctl@v4.60.0,fleetctl@v4.59.1,fleetctl@v4.59.0,fleetctl@v4.58.1,fleetctl@v4.58.0,fleetctl@v4.57.3,fleetctl@v4.57.2,fleetctl@v4.57.1,fleetctl@v4.57.0,fleetctl@v4.56.0,fleetctl@v4.55.2,fleetctl@v4.55.1,fleetctl@v4.55.0,fleetctl@v4.54.2,fleetctl@v4.54.1,fleetctl@v4.54.0,fleetctl@v4.53.2,fleetctl@v4.53.1,fleetctl@v4.53.0,fleetctl@v4.52.0,fleetctl@v4.51.1,fleetctl@v4.51.0,fleetctl@v4.50.2,fleetctl@v4.50.1,fleetctl@v4.50.0,fleetctl@v4.49.4,fleetctl@v4.49.3,fleetctl@v4.49.2,fleetctl@v4.49.1,fleetctl@v4.49.0,fleetctl@v4.48.3,fleetctl@v4.48.2,fleetctl@v4.48.1,fleetctl@v4.48.0,fleetctl@v4.47.3,fleetctl@v4.47.2,fleetctl@v4.47.1,fleetctl@v4.47.0,fleetctl@v4.46.2,fleetctl@v4.46.1,fleetctl@v4.46.0,fleetctl@v4.45.1,fleetctl@v4.45.0,fleetctl@v4.44.1,fleetctl@v4.44.0,fleetctl@v4.43.3,fleetctl@v4.43.2,fleetctl@v4.43.1,fleetctl@v4.43.0,fleetctl@v4.42.0,fleetctl@v4.41.1,fleetctl@v4.41.0,fleetctl@v4.40.0,fleetctl@v4.39.0,fleetctl@v4.38.1,fleetctl@v4.38.0,fleetctl@v4.37.0,fleetctl@v4.36.0,fleetctl@v4.35.2,fleetctl@v4.35.1,fleetctl@v4.35.0,fleetctl@v4.34.1,fleetctl@v4.34.0,fleetctl@v4.33.1,fleetctl@v4.33.0,fleetctl@v4.32.0,fleetctl@v4.31.1,fleetctl@v4.31.0,fleetctl@v4.30.1,fleetctl@v4.30.0,fleetctl@v4.29.1,fleetctl@v4.29.0,fleetctl@v4.28.1,fleetctl@v4.28.0,fleetctl@v4.27.1,fleetctl@v4.27.0,fleetctl@v4.26.0,fleetctl@v4.25.0,fleetctl@v4.24.1,fleetctl@v4.24.0,fleetctl@v4.23.0,fleetctl@v4.22.1,fleetctl@v4.22.0,fleetctl@v4.21.0,fleetctl@v4.20.1,fleetctl@v4.20.0,fleetctl@v4.19.1,fleetctl@v4.19.0,fleetctl@v4.18.0,fleetctl@v4.17.1,fleetctl@v4.17.0,fleetctl@v4.16.0,fleetctl@v4.15.0,fleetctl@v4.14.0,fleetctl@v4.13.2,fleetctl@v4.13.1,fleetctl@v4.13.0,fleetctl@v4.12.1,fleetctl@v4.12.0,fleetctl@v4.11.0,fleetctl@v4.10.0,fleetctl@v4.9.1,fleetctl@v4.9.0,fleetctl@v4.8.0,fleetctl@v4.7.0,fleetctl@v4.6.2,fleetctl@v4.6.1,fleetctl@v4.6.0,fleetctl@v4.5.1,fleetctl@v4.5.0,fleetctl@v4.4.3,fleetctl@v4.4.2,fleetctl@v4.4.1,fleetctl@v4.4.0,fleetctl@v4.3.2,fleetctl@v4.3.1,fleetctl@v4.3.0,fleetctl@v4.2.4,fleetctl@v4.2.3,fleetctl@v4.2.2,fleetctl@v4.2.1,fleetctl@v4.2.0,fleetctl@v4.1.0,fleetctl@v4.0.1,fleetctl@v4.0.0,fleetctl@v3.13.0,fleetctl@v3.12.0,fleetctl@v3.11.0,fleetctl@v3.10.1,fleetctl@v3.10.0,fleetctl@v3.9.0,fleetctl@v3.8.0,fleetctl@v3.7.4,fleetctl@v3.7.1,fleetctl@v3.7.0,fleetctl@v3.6.0,fleetctl@v3.5.1,fleetctl@v3.5.0,fleetctl@v3.4.0,fleetctl@v3.3.0,pkg:golang/stdlib@1.25.7 - Action statement:
Low impact: denial-of-service (high CPU) on the host running fleetctl if it connects to a hostile TLS peer (malicious/compromised Fleet server, or MITM presenting a valid-looking cert) that sends many intermediate certificates. No code execution or data disclosure, and the Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available. - Timestamp: 2026-04-20 14:00:03
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability in orbit not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-20 13:46:50
- Author: @lucasmrod
- Status:
not_affected - Status notes: This is a vulnerability in Fleet, not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:33:34
- Author: @lucasmrod
- Status:
not_affected - Status notes: This is a vulnerability in Fleet, not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability in fleet server, not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-31 09:36:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- Products:
fleetctl,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-23 19:12:15
- Author: @lucasmrod
- Status:
not_affected - Status notes: This is a vulnerability in Fleet, not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined.
- Products:
fleetctl,pkg:deb/debian/libexpat1 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: This is a vulnerability in Fleet, not fleetctl.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
component_not_present - Timestamp: 2026-01-30 09:25:41
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libssh. The libssh-4 package is an unused transitive dependency in the container image.
- Products:
fleetctl,pkg:deb/debian/libssh-4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-08 12:06:51
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products:
fleetctl,pkg:deb/debian/libssl3,pkg:deb/debian/openssl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents.
- Products:
fleetctl,pkg:maven/org.apache.tika/tika-core - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 18:12:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products:
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:58
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products:
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products:
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:07
- Author: @lucasmrod
- Status:
fixed - Products:
fleetctl@v4.78.* - Timestamp: 2025-12-10 19:26:44
- Author: @lucasmrod
- Status:
affected - Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- Products:
fleetctl@v4.77.0,fleetctl@v4.76.0,fleetctl@v4.76.1,fleetctl@v4.75.0,fleetctl@v4.75.1,pkg:golang/stdlib@1.25.3 - Action statement:
No action statement provided - Timestamp: 2025-12-10 19:26:35
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products:
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:57:38
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products:
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:57:25
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products:
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:56:50
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
- Products:
fleetctl,pkg:maven/commons-beanutils/commons-beanutils - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-02 07:33:44
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use OPA.
- Products:
fleetctl,pkg:golang/github.com/open-policy-agent/opa - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-05-06 07:47:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability affects web servers, not fleetctl.
- Products:
fleetctl,pkg:maven/org.springframework/spring-core - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-09-22 10:27:40
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use liblzma5.
- Products:
fleetctl,pkg:deb/debian/liblzma5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-09 13:24:20
- Author: @lucasmrod
- Status:
not_affected - Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- Products:
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
component_not_present - Timestamp: 2025-09-12 09:25:41
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses Go's crypto and TLS implementation.
- Products:
fleetctl,pkg:deb/debian/openssl,pkg:deb/debian/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products:
fleetctl,pkg:maven/com.google.protobuf/protobuf-java - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 07:34:26
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use libaom3.
- Products:
fleetctl,pkg:deb/debian/libaom3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:28:21
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use zlib C library.
- Products:
fleetctl,pkg:deb/debian/zlib1g - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:17:19
- Author: @getvictor
- Status:
not_affected - Status notes: When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
- Products:
fleetctl,pkg:golang/github.com/goreleaser/nfpm/v2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-04-09 10:26:02
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products:
fleetctl,pkg:maven/org.codehaus.jackson/jackson-mapper-asl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:31:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products:
fleetctl,pkg:maven/xerces/xercesImpl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 07:36:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products:
fleetctl,pkg:maven/xerces/xercesImpl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 14:46:52
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do JPEG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libgdk-pixbuf-2.0-0,pkg:deb/debian/libgdk-pixbuf2.0-common - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-20 11:41:33
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not call cap_set_file() when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libcap2,pkg:deb/debian/libcap2-bin - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do TIFF processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libtiff6 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-20 11:42:37
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use OpenSSL (e.g. PKCS7_verify) when using fleetdm/wix to generate MSI packages.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-06-15 08:42:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not perform color management via Little CMS when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/liblcms2-2 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process media files when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libavcodec61,pkg:deb/debian/libavformat61,pkg:deb/debian/libavutil59,pkg:deb/debian/libswresample5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process EXIF metadata when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libexif12 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process EXIF metadata when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libexif12 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Kerberos when using fleetdm/wix to generate msi installers.
- Products:
wix,pkg:deb/debian/libgssapi-krb5-2,pkg:deb/debian/libk5crypto3,pkg:deb/debian/libkrb5-3,pkg:deb/debian/libkrb5support0 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-26 10:42:11
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use gnutls when using fleetdm/wix (go binary uses Go's TLS).
- Products:
wix,pkg:deb/debian/libgnutls30t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-20 10:30:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libpng16-16t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-08 11:43:22
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libpng16-16t64 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-08 11:01:10
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process EXIF metadata when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libexif12 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:22:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process media files when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libgstreamer-plugins-base1.0-0 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:23:52
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use systemd IPC APIs when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libsystemd0,pkg:deb/debian/libudev1 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/wix does not connect to TLS servers using OpenSSL.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-20 11:44:34
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:24:11
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:23:56
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL.
- Products:
wix,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:23:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not serve or handle HTTP/2 traffic via libnghttp2 when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libnghttp2-14 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process JPEG XL images when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libjxl0.11 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:16:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: No attacker-controlled allocation arguments. The fleetdm/wix container runs WiX toolset commands (heat.exe, candle.exe, light.exe) via Wine to compile .wxs files into an MSI. The only input is a volume-mounted temp directory containing Fleet-generated files (main.wxs, heat.wxs, the orbit root directory). None of this feeds attacker-controlled size/alignment values to memalign.
- Products:
wix,pkg:deb/debian/libc6,pkg:deb/debian/libc-bin - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:18:16
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:03:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:03:33
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products:
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:02:56
- Author: @lucasmrod
- Status:
not_affected - Status notes: The WiX toolset is unaffected by the perl vulnerability.
- Products:
wix,pkg:deb/debian/perl-base - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-10-01 08:36:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: mkbom and xar from fleetdm/bomutils do not call cap_set_file().
- Products:
bomutils,pkg:deb/debian/libcap2,pkg:deb/debian/libcap2-bin - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:25:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use OpenSSL (e.g. PKCS7_verify) when using fleetdm/bomutils to generate PKG packages.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-06-15 08:42:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:28:25
- Author: @lucasmrod
- Status:
not_affected - Status notes: mkbom and xar from fleetdm/bomutils do not use systemd IPC APIs.
- Products:
bomutils,pkg:deb/debian/libsystemd0,pkg:deb/debian/libudev1 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-05-19 10:25:00
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/bomutils does not connect to TLS servers using OpenSSL.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-20 11:48:55
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:29:08
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:28:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL.
- Products:
bomutils,pkg:deb/debian/libssl3t64,pkg:deb/debian/openssl,pkg:deb/debian/openssl-provider-legacy - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-04-27 14:28:43
- Author: @lucasmrod
- Status:
not_affected - Status notes: Use of mkbom and xar from fleetdm/bomutils have admin controlled inputs.
- Products:
bomutils,pkg:deb/debian/libc6,pkg:deb/debian/libc-bin - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 08:41:27