Closed ertjlane closed 1 year ago
Noted!
@ertjlane Hi, I understand this issue refers to the server container and not the dashboard container. Is that correct?
@avaidyam can verify but I believe so, yes.
Hey @avaidyam, can I assume this is about the server container?
@falmeida-orangeloops I believe so!
@ertjlane this has been fixed by BIDMCDigitalPsychiatry/LAMP-server#215 and BIDMCDigitalPsychiatry/LAMP-server#216
Excellent!
Describe the bug Collaborator description: There is a critical vulnerability in the MindLAMP container that needs to be addressed ASAP. The vulnerability is with a node.js dependency. To fix this, you will have to switch to node.js version 18, rebuild container, and test the application.
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1n-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2022-10-12T18:46:22.319Z [34mINFO[0m Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
==================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ got (package.json) │ CVE-2022-33987 │ MEDIUM │ 9.6.0 │ 11.8.5, 12.1.0 │ nodejs-got: missing verification of requested URLs allows │
│ │ │ │ │ │ redirects to UNIX sockets │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-33987 │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ moment (package.json) │ CVE-2022-31129 │ HIGH │ 2.29.3 │ 2.29.4 │ moment: inefficient parsing algorithm resulting in DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31129 │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ moment-timezone (package.json) │ GHSA-v78c-4p63-2j6c │ MEDIUM │ 0.5.34 │ 0.5.35 │ Cleartext Transmission of Sensitive Information in │
│ │ │ │ │ │ moment-timezone │
│ │ │ │ │ │ https://github.com/advisories/GHSA-v78c-4p63-2j6c │
│ ├─────────────────────┼──────────┤ │ ├───────────────────────────────────────────────────────────┤
│ │ GHSA-56x4-j7p9-fcf9 │ LOW │ │ │ Command Injection in moment-timezone │
│ │ │ │ │ │ https://github.com/advisories/GHSA-56x4-j7p9-fcf9 │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ npm (package.json) │ CVE-2022-29244 │ HIGH │ 8.5.5 │ 8.11.0 │ nodejs: npm pack ignores root-level .gitignore and │
│ │ │ │ │ │ .npmignore file exclusion directives when... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29244 │
└────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘