Critical CVEs found when scanning latest image
Opened this issue ยท 8 comments
MalteHei commented
When scanning the latest version of the code-server image, our scanner found two critical CVEs:
- Image:
ghcr.io/coder/code-server:4.105.1(digest:sha256:2d48970bd2084aa34a522d772b6a437981ea80407465b3bf7958553985c570e1) - Scanner: Trivy v0.58.2
- Critical CVEs:
- CVE-2023-45853 in version
1:1.2.13.dfsg-1of packagezlib1g - CVE-2024-24790 in version
v1.20.7of packagestdlib(fixed in versions1.21.11,1.22.4)
- CVE-2023-45853 in version
CVE-2024-24790seems to be contained in every image flavour, not just debian
Due to our security policy, these CVEs block us from deploying code-server in our environment.
Is there any chance of updating these dependencies? (Or are they false-positives?)
code-asher commented
Hm these are system packages installed in the image? I will redeploy the Docker builds which should update everything.
Not sure why our nightly Trivy scan did not pick up anything ๐ข
code-asher commented
Oh wait CVE-2024-24790 did come up but it said it was for fixuid, and fixuid makes no network requests. I do not believe there is a new version of fixuid in any case.
CVE-2023-45853 does not seem to have come up before in our scans, but I checked debian:12 and the latest still seems to be zlib1g 1.2.13 so nothing we can update there either. Have not checked the other images yet.
MalteHei commented
Thanks for the quick response! I did some more scanning and came to the following conclusion:
- CVE-2024-24790 is a false-positive because while the affected gobinary,
usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods. - CVE-2023-45853 is an actual vulnerability, but it only applies to the
debianflavour of code-server and can be bypassed by using another flavour likeubuntu.
Can you confirm?
code-asher commented
CVE-2024-24790 is a false-positive because while the affected gobinary, usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods.
Yup, exactly.
CVE-2023-45853 is an actual vulnerability, but it only applies to the debian flavour of code-server and can be bypassed by using another flavour like ubuntu.
No, looks like most flavors are affected. I went through them all and these have versions <= 1.3:
- debian:12 (zlib1g 1.2.13)
- ubuntu:focal (zlib1g 1.2.11)
- ubuntu:noble (zlib1g 1.3)
- fedora:39 (zlib 1.2.13)
The opensuse image does not appear to have zlib installed at all, so I suppose it is unaffected? I am not familiar with opensuse though, maybe I am using the package tool incorrectly.
MalteHei commented
No, looks like most flavors are affected.
My scans do not confirm this. Using a newer version of Trivy (0.67.2), I can only find false-positives (#6332) ...
code-server:4.105.1-focal
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-focal -s CRITICAL --scanners=vuln --table-mode=detailed -qOutput:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ code-server (package.json) โ CVE-2023-26114 โ CRITICAL โ fixed โ 1.105.1 โ 4.10.1 โ code-server vulnerable to Missing Origin Validation in โ
โ โ โ โ โ โ โ WebSockets โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2023-26114 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโค โ โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ handlebars (package.json) โ CVE-2019-19919 โ โ โ 1.0.0 โ 4.3.0, 3.0.8 โ nodejs-handlebars: prototype pollution leading to remote โ
โ โ โ โ โ โ โ code execution via crafted payloads โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2019-19919 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23369 โ โ โ โ 4.7.7 โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with strict:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23369 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23383 โ โ โ โ โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with compat:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23383 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
โโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ stdlib โ CVE-2024-24790 โ CRITICAL โ fixed โ v1.20.7 โ 1.21.11, 1.22.4 โ golang: net/netip: Unexpected behavior from Is methods for โ
โ โ โ โ โ โ โ IPv4-mapped IPv6 addresses โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2024-24790 โ
โโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
code-server:4.105.1-noble
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-noble -s CRITICAL --scanners=vuln --table-mode=detailed -qOutput:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ code-server (package.json) โ CVE-2023-26114 โ CRITICAL โ fixed โ 1.105.1 โ 4.10.1 โ code-server vulnerable to Missing Origin Validation in โ
โ โ โ โ โ โ โ WebSockets โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2023-26114 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโค โ โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ handlebars (package.json) โ CVE-2019-19919 โ โ โ 1.0.0 โ 4.3.0, 3.0.8 โ nodejs-handlebars: prototype pollution leading to remote โ
โ โ โ โ โ โ โ code execution via crafted payloads โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2019-19919 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23369 โ โ โ โ 4.7.7 โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with strict:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23369 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23383 โ โ โ โ โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with compat:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23383 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
โโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ stdlib โ CVE-2024-24790 โ CRITICAL โ fixed โ v1.20.7 โ 1.21.11, 1.22.4 โ golang: net/netip: Unexpected behavior from Is methods for โ
โ โ โ โ โ โ โ IPv4-mapped IPv6 addresses โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2024-24790 โ
โโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
code-server:4.105.1-fedora
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-fedora -s CRITICAL --scanners=vuln --table-mode=detailed -qOutput:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ code-server (package.json) โ CVE-2023-26114 โ CRITICAL โ fixed โ 1.105.1 โ 4.10.1 โ code-server vulnerable to Missing Origin Validation in โ
โ โ โ โ โ โ โ WebSockets โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2023-26114 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโค โ โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ handlebars (package.json) โ CVE-2019-19919 โ โ โ 1.0.0 โ 4.3.0, 3.0.8 โ nodejs-handlebars: prototype pollution leading to remote โ
โ โ โ โ โ โ โ code execution via crafted payloads โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2019-19919 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23369 โ โ โ โ 4.7.7 โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with strict:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23369 โ
โ โโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ CVE-2021-23383 โ โ โ โ โ nodejs-handlebars: Remote code execution when compiling โ
โ โ โ โ โ โ โ untrusted compile templates with compat:true option... โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2021-23383 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
โโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Status โ Installed Version โ Fixed Version โ Title โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ stdlib โ CVE-2024-24790 โ CRITICAL โ fixed โ v1.20.7 โ 1.21.11, 1.22.4 โ golang: net/netip: Unexpected behavior from Is methods for โ
โ โ โ โ โ โ โ IPv4-mapped IPv6 addresses โ
โ โ โ โ โ โ โ https://avd.aquasec.com/nvd/cve-2024-24790 โ
โโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Am I missing something?
code-asher commented
Hmm I am not sure, all I did was run the container and check the package manager for what was installed. One example:
$ docker run --rm -it --entrypoint bash codercom/code-server:4.105.1-focal
$ apt show zlib1g
Package: zlib1g
Version: 1:1.2.11.dfsg-2ubuntu1.5
Status: install ok installed
Priority: required
Section: libs
Source: zlib
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Mark Brown <broonie@debian.org>
Installed-Size: 168 kB
Provides: libz1
Depends: libc6 (>= 2.14)
Conflicts: zlib1 (<= 1:1.0.4-7)
Breaks: libxml2 (<< 2.7.6.dfsg-2), texlive-binaries (<< 2009-12)
Homepage: http://zlib.net/
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: compression library - runtime
zlib is a library implementing the deflate compression method found
in gzip and PKZIP. This package includes the shared library.
code-asher commented
Actually, looking at the CVE more closely, it says MiniZip in zlib and MiniZip is not a supported part of the zlib product so maybe this is something only Debian is including or something. If Trivy says everything is fine, that is probably true.
code-asher commented
Looking through madler/zlib#843 (comment) it seems like zlib being vulnerable in Debian is actually a false positive too.
The source code of that particular version of zlib has a vulnerability, but the vulnerable part isn't in the Debian package. The Debian binary for zlib doesn't contain the vulnerable code.