Closed liningpan closed 2 years ago
Yes, please do share it with us.
-John
On Thu, May 12, 2022 at 3:23 PM Lining Pan @.***> wrote:
Describe the bug Our container security scanning tool (trivy) are reporting critical and high severity vulnerabilities in the lamp-server and lamp-dashboard base image. For lamp-server, we can also see vulnerable node packages being used.
Let me know if you would like to see the output of our container scanning tool.
— Reply to this email directly, view it on GitHub https://github.com/BIDMCDigitalPsychiatry/LAMP-platform/issues/635, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMFRAWYWBXMA6H3RLPR6LDVJVLELANCNFSM5VZHYHBA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
lamp-dashboard
:
ghcr.io/bidmcdigitalpsychiatry/lamp-dashboard@sha256:42e3e15c969ee77e111e3dc3fd79aa335e79b3b149bceea3a3b4ef5d913c9351 (alpine 3.15.4)
=====================================================================================================================================
Total: 11 (UNKNOWN: 0, LOW: 2, MEDIUM: 7, HIGH: 1, CRITICAL: 1)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl | CVE-2022-22576 | MEDIUM | 7.80.0-r0 | 7.80.0-r1 | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2022-27775 | LOW | | | curl: bad local IPv6 connection reuse |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype | CVE-2022-27404 | CRITICAL | 2.11.1-r0 | 2.11.1-r1 | FreeType: Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcurl | CVE-2022-22576 | MEDIUM | 7.80.0-r0 | 7.80.0-r1 | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2022-27775 | LOW | | | curl: bad local IPv6 connection reuse |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libxml2 | CVE-2022-29824 | MEDIUM | 2.9.13-r0 | 2.9.14-r0 | libxml2: integer overflows |
| | | | | | in xmlBuf and xmlBuffer |
| | | | | | lead to out-of-bounds write |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29824 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| xz-libs | CVE-2022-1271 | HIGH | 5.2.5-r0 | 5.2.5-r1 | gzip: arbitrary-file-write |
| | | | | | vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1271 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
lamp-server
:
ghcr.io/bidmcdigitalpsychiatry/lamp-server@sha256:4a22e8f2b38f3cc878e2150c12d8f59a07c74f40002e4552328772662c6aa0b3 (alpine 3.14.3)
==================================================================================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 2)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox | CVE-2022-28391 | CRITICAL | 1.33.1-r6 | 1.33.1-r7 | busybox: remote attackers may execute |
| | | | | | arbitrary code if netstat is used |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2022-0778 | HIGH | 1.1.1l-r0 | 1.1.1n-r0 | openssl: Infinite loop in |
| | | | | | BN_mod_sqrt() reachable |
| | | | | | when parsing certificates |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 |
+--------------+ + +-------------------+---------------+ +
| libretls | | | 3.3.3p1-r2 | 3.3.3p1-r3 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+ + +-------------------+---------------+ +
| libssl1.1 | | | 1.1.1l-r0 | 1.1.1n-r0 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client | CVE-2022-28391 | CRITICAL | 1.33.1-r6 | 1.33.1-r7 | busybox: remote attackers may execute |
| | | | | | arbitrary code if netstat is used |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 | zlib: A flaw found in |
| | | | | | zlib when compressing (not |
| | | | | | decompressing) certain inputs... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
2022-05-12T14:02:06.086-0400 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
==================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 5, CRITICAL: 1)
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| ansi-regex (package.json) | CVE-2021-3807 | HIGH | 3.0.0 | 3.0.1, 4.1.1, 5.0.1, 6.0.1 | nodejs-ansi-regex: Regular |
| | | | | | expression denial of service |
| | | | | | (ReDoS) matching ANSI escape codes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| minimist (package.json) | CVE-2021-44906 | CRITICAL | 1.2.5 | 1.2.6 | minimist: prototype pollution |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| moment (package.json) | CVE-2022-24785 | HIGH | 2.29.1 | 2.29.2 | Moment.js: Path traversal |
| | | | | | in moment.locale |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-24785 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| nanoid (package.json) | CVE-2021-23566 | MEDIUM | 3.1.30 | 3.1.31 | nanoid: Information disclosure |
| | | | | | via valueOf() function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23566 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| node-fetch (package.json) | CVE-2022-0235 | HIGH | 2.6.6 | 2.6.7, 3.1.1 | node-fetch: exposure of sensitive |
| | | | | | information to an unauthorized actor |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0235 |
+---------------------------+------------------+ +-------------------+----------------------------+---------------------------------------+
| simple-get (package.json) | CVE-2022-0355 | | 3.1.0 | 2.8.2, 3.1.1, 4.0.1 | simple-get: exposure of sensitive |
| | | | | | information to an unauthorized actor |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0355 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
We are going to review this today, shall updates comments on this soon.
@avaidyam There are some new vulnerabilities. We are trying to update some packages. And after that we need to have a full round testing. We will update you ASAP.
We have updated in Staging
Describe the bug Our container security scanning tool (trivy) is reporting critical and high severity vulnerabilities in the
lamp-server
andlamp-dashboard
base image. Forlamp-server
, we can also see vulnerable node packages being used.Let me know if you would like to see the output of our container scanning tool.