Debian Bullseye with Node 14 contains many Vulnerabilities issues
Closed this issue · 1 comments
thle40 commented
Cadence web:v3.31.0
OS distro: Debian GNU/Linux 11 (bullseye)
Security scanning tool: Twistlock
Our Vulnerabilities scanner has found several issue in latest cadence-web docker image.
A lot of issues caused by old Node version (using Node 14). The active LTS version is 16 (Gallium), and the current version is 18.
An attempt to upgrade Node to Gallium was made in web:v3.30.1 but got reverted in web:v3.31.0 ( #be925a0)
In order to solve these issues, please help to upgrade Node to 16 or 18
Full Scan result is in attached file
twistlock_vul.log
(snipped log for Critical/Hig/med issues)
Scan results for: image ubercadence/web:v3.31.0 sha256:4e9f66bba3967f0b5846ef40cf88361d869a5a8443c21901050a85bba490fe90
Vulnerabilities
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-37434 | critical | 9.80 | zlib | 1:1.2.11.dfsg-2+deb11u1 | fixed in 1:1.2.11.dfsg-2+deb11u2 | 24 days | < 1 hour | zlib through 1.2.12 has a heap-based buffer |
| | | | | | 24 days ago | | | over-read or buffer overflow in inflate in |
| | | | | | | | | inflate.c via a large gzip header extra field. |
| | | | | | | | | NOTE: only appli... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-37701 | high | 8.60 | tar | 2.2.2 | fixed in 6.1.7, 5.0.8, 4.4.16 | > 12 months | < 1 hour | The npm package \"tar\" (aka node-tar) before |
| | | | | | > 12 months ago | | | versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary |
| | | | | | | | | file creation/overwrite and arbitrary code |
| | | | | | | | | execution ... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-32804 | high | 8.10 | tar | 2.2.2 | fixed in 6.1.1, 5.0.6, 4.4.14,... | > 1 years | < 1 hour | The npm package \"tar\" (aka node-tar) before |
| | | | | | > 1 years ago | | | versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a |
| | | | | | | | | arbitrary File Creation/Overwrite vulnerability |
| | | | | | | | | due to in... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-32803 | high | 8.10 | tar | 2.2.2 | fixed in 6.1.2, 5.0.7, 4.4.15,... | > 1 years | < 1 hour | The npm package \"tar\" (aka node-tar) before |
| | | | | | > 1 years ago | | | versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an |
| | | | | | | | | arbitrary File Creation/Overwrite vulnerability |
| | | | | | | | | via insu... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2022-0049 | high | 8.00 | unset-value | 1.0.0 | fixed in 2.0.1 | > 6 months | < 1 hour | unset-value package versions before 2.0.1 are |
| | | | | | > 6 months ago | | | vulnerable to Prototype Pollution. unset() |
| | | | | | | | | function in index.js files allows for access to |
| | | | | | | | | object protot... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2022-0039 | high | 7.50 | minimatch | 3.0.4 | fixed in 3.0.5 | > 6 months | < 1 hour | minimatch package versions before 3.0.5 are |
| | | | | | > 6 months ago | | | vulnerable to Regular Expression Denial of Service |
| | | | | | | | | (ReDoS). It\'s possible to cause a denial of |
| | | | | | | | | service wh... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-31129 | high | 7.50 | moment | 2.29.3 | fixed in 2.29.4 | 53 days | < 1 hour | moment is a JavaScript date library for parsing, |
| | | | | | 53 days ago | | | validating, manipulating, and formatting dates. |
| | | | | | | | | Affected versions of moment were found to use an |
| | | | | | | | | inef... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2509 | high | 7.50 | gnutls28 | 3.7.1-5+deb11u1 | fixed in 3.7.1-5+deb11u2 | 27 days | < 1 hour | A vulnerability found in gnutls. This security |
| | | | | | 27 days ago | | | flaw happens because of a double free error |
| | | | | | | | | occurs during verification of pkcs7 signatures in |
| | | | | | | | | gnutls_pk... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-46828 | high | 7.50 | libtirpc | 1.3.1-1 | fixed in 1.3.1-1+deb11u1 | 40 days | < 1 hour | In libtirpc before 1.3.3rc1, remote attackers |
| | | | | | 40 days ago | | | could exhaust the file descriptors of a process |
| | | | | | | | | that uses libtirpc because idle TCP connections |
| | | | | | | | | are mish... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-3807 | high | 7.50 | ansi-regex | 4.1.0 | fixed in 4.1.1 | > 11 months | < 1 hour | ansi-regex is vulnerable to Inefficient Regular |
| | | | | | > 11 months ago | | | Expression Complexity |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-3807 | high | 7.50 | ansi-regex | 3.0.0 | fixed in 4.1.1 | > 11 months | < 1 hour | ansi-regex is vulnerable to Inefficient Regular |
| | | | | | > 11 months ago | | | Expression Complexity |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-29059 | high | 7.50 | is-svg | 2.1.0 | fixed in 4.3.0 | > 1 years | < 1 hour | A vulnerability was discovered in IS-SVG |
| | | | | | > 1 years ago | | | version 2.1.0 to 4.2.2 and below where a Regular |
| | | | | | | | | Expression Denial of Service (ReDOS) occurs if the |
| | | | | | | | | applicati... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-28092 | high | 7.50 | is-svg | 2.1.0 | | > 1 years | < 1 hour | The is-svg package 2.1.0 through 4.2.1 for Node.js |
| | | | | | | | | uses a regular expression that is vulnerable to |
| | | | | | | | | Regular Expression Denial of Service (ReDoS). If |
| | | | | | | | | an... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-28469 | high | 7.50 | glob-parent | 3.1.0 | fixed in 5.1.2 | > 1 years | < 1 hour | This affects the package glob-parent before 5.1.2. |
| | | | | | > 1 years ago | | | The enclosure regex used to check for strings |
| | | | | | | | | ending in enclosure containing path separator. |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| GHSA-8j8c-7jfh-h6hx | high | 7.00 | js-yaml | 3.7.0 | fixed in 3.13.1 | > 3 years | < 1 hour | Versions of `js-yaml` prior to 3.13.1 are |
| | | | | | > 3 years ago | | | vulnerable to Code Injection. The `load()` |
| | | | | | | | | function may execute arbitrary code injected |
| | | | | | | | | through a malicious ... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-37713 | high | 7.00 | tar | 2.2.2 | fixed in 6.1.9, 5.0.10, 4.4.18 | > 12 months | < 1 hour | The npm package \"tar\" (aka node-tar) before |
| | | | | | > 12 months ago | | | versions 4.4.18, 5.0.10, and 6.1.9 has an |
| | | | | | | | | arbitrary file creation/overwrite and arbitrary |
| | | | | | | | | code execution... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-37712 | high | 7.00 | tar | 2.2.2 | fixed in 6.1.9, 5.0.10, 4.4.18 | > 12 months | < 1 hour | The npm package \"tar\" (aka node-tar) before |
| | | | | | > 12 months ago | | | versions 4.4.18, 5.0.10, and 6.1.9 has an |
| | | | | | | | | arbitrary file creation/overwrite and arbitrary |
| | | | | | | | | code execution... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2021-0147 | medium | 5.90 | clean-css | 4.2.4 | fixed in 5.2.2 | > 9 months | < 1 hour | clean-css package versions before 5.2.2 are |
| | | | | | > 9 months ago | | | vulnerable to Regular Expression Denial of Service |
| | | | | | | | | (ReDoS). Unsafe data URI regex can be exploited to |
| | | | | | | | | DOS ... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-36313 | medium | 5.50 | file-type | 3.9.0 | fixed in 17.1.3, 16.5.4 | 38 days | < 1 hour | An issue was discovered in the file-type package |
| | | | | | 38 days ago | | | before 16.5.4 and 17.x before 17.1.3 for Node.js. |
| | | | | | | | | A malformed MKV file could cause the file type |
| | | | | | | | | dete... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-36313 | medium | 5.50 | file-type | 6.2.0 | fixed in 17.1.3, 16.5.4 | 38 days | < 1 hour | An issue was discovered in the file-type package |
| | | | | | 38 days ago | | | before 16.5.4 and 17.x before 17.1.3 for Node.js. |
| | | | | | | | | A malformed MKV file could cause the file type |
| | | | | | | | | dete... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-36313 | medium | 5.50 | file-type | 5.2.0 | fixed in 17.1.3, 16.5.4 | 38 days | < 1 hour | An issue was discovered in the file-type package |
| | | | | | 38 days ago | | | before 16.5.4 and 17.x before 17.1.3 for Node.js. |
| | | | | | | | | A malformed MKV file could cause the file type |
| | | | | | | | | dete... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2021-0169 | medium | 5.30 | uglify-js | 2.8.29 | fixed in 3.14.3 | > 8 months | < 1 hour | uglify-js package versions before 3.14.3 are |
| | | | | | > 8 months ago | | | vulnerable to Regular Expression Denial of Service |
| | | | | | | | | (ReDoS) via minify() function that uses vulnerable |
| | | | | | | | | reg... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2021-0169 | medium | 5.30 | uglify-js | 3.4.10 | fixed in 3.14.3 | > 8 months | < 1 hour | uglify-js package versions before 3.14.3 are |
| | | | | | > 8 months ago | | | vulnerable to Regular Expression Denial of Service |
| | | | | | | | | (ReDoS) via minify() function that uses vulnerable |
| | | | | | | | | reg... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-33987 | medium | 5.30 | got | 7.1.0 | fixed in 12.1.0 | 71 days | < 1 hour | The got package before 12.1.0 (also fixed in |
| | | | | | 71 days ago | | | 11.8.5) for Node.js allows a redirect to a UNIX |
| | | | | | | | | socket. |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-33987 | medium | 5.30 | got | 6.7.1 | fixed in 12.1.0 | 71 days | < 1 hour | The got package before 12.1.0 (also fixed in |
| | | | | | 71 days ago | | | 11.8.5) for Node.js allows a redirect to a UNIX |
| | | | | | | | | socket. |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-29060 | medium | 5.30 | color-string | 0.3.0 | fixed in 1.5.5 | > 1 years | < 1 hour | A Regular Expression Denial of Service (ReDOS) |
| | | | | | > 1 years ago | | | vulnerability was discovered in Color-String |
| | | | | | | | | version 1.5.5 and below which occurs when the |
| | | | | | | | | application ... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-23382 | medium | 5.30 | postcss | 6.0.23 | fixed in 8.2.13 | > 1 years | < 1 hour | The package postcss before 8.2.13 are vulnerable |
| | | | | | > 1 years ago | | | to Regular Expression Denial of Service (ReDoS) |
| | | | | | | | | via getAnnotationURL() and loadAnnotation() in |
| | | | | | | | | lib/pr... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-23382 | medium | 5.30 | postcss | 5.2.18 | fixed in 8.2.13 | > 1 years | < 1 hour | The package postcss before 8.2.13 are vulnerable |
| | | | | | > 1 years ago | | | to Regular Expression Denial of Service (ReDoS) |
| | | | | | | | | via getAnnotationURL() and loadAnnotation() in |
| | | | | | | | | lib/pr... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-7608 | medium | 5.30 | yargs-parser | 7.0.0 | fixed in 13.1.2 | > 2 years | < 1 hour | yargs-parser could be tricked into adding or |
| | | | | | > 2 years ago | | | modifying properties of Object.prototype using a |
| | | | | | | | | \"__proto__\" payload. |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| GHSA-4xcv-9jjx-gfj3 | moderate | 4.00 | mem | 1.1.0 | fixed in 4.0.0 | > 3 years | < 1 hour | Versions of `mem` prior to 4.0.0 are vulnerable |
| | | | | | > 3 years ago | | | to Denial of Service (DoS). The package fails |
| | | | | | | | | to remove old values from the cache even after a |
| | | | | | | | | value ... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| GHSA-2pr6-76vf-7546 | moderate | 4.00 | js-yaml | 3.7.0 | fixed in 3.13.0 | > 3 years | < 1 hour | Versions of `js-yaml` prior to 3.13.0 are |
| | | | | | > 3 years ago | | | vulnerable to Denial of Service. By parsing a |
| | | | | | | | | carefully-crafted YAML file, the node process |
| | | | | | | | | stalls and may e... |
+---------------------+-------------+-------+--------------+-------------------------+-----------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-15366 | moderate | 4.00 | ajv | 5.5.2 | fixed in 6.12.3 | > 2 years | < 1 hour | An issue was discovered in ajv.validate() in Ajv |
| | | | | | > 6 months ago | | | (aka Another JSON Schema Validator) 6.12.2. A |
| | | | | | | | | carefully crafted JSON schema could be provided |
| | | | | | | | | that al... |
...
Vulnerabilities found for image ubercadence/web:v3.31.0: total - 71, critical - 1, high - 16, medium - 15, low - 39
Note:
#https://security-tracker.debian.org/tracker/CVE-2019-8457,
PRISMA-2022-0049, https://security-tracker.debian.org/tracker/CVE-2021-33560 are known issues and fixed in later version of debian
ibarrajo commented
Closing since we currently depend on Node 16 (node:16.20.2-bookworm) and have extensive updates coming up in v4