Vulnerability in the used Node version

Question

Vulnerability in the used Node version

Closed this issue a year ago · 1 comments

HassenMaamri commented a year ago

Hello,

In my team we are using an nginxinc docker image: "stable" tag

We ran a security scan and it found the following "HIGH"-risk-classified vulnerability coming from curl:

Information Disclosure (CVE-2023-46218)

The scan suggests that they are fixed in a patched version: 8.5.0. However the installed version is 7.88.1.

I was wondering if it's possible that you update node to the suggested version to solve the vulnerability?
Thank you so much

Answer 1 · 2024-07-30T17:52:05.000Z

Hey @HassenMaamri, this is not considered a critical CVE per https://github.com/nginxinc/docker-nginx-unprivileged#on-reporting-issues and https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md, so the images will be rebuilt next Monday and assuming there's a fix by then, the image will be patched.

I will also add that if you actually read the CVE details (https://nvd.nist.gov/vuln/detail/CVE-2023-46218) you will see that the CVE is undergoing reanalysis so it might not even be considered a CVE anymore once the reanalysis is concluded.