search

BIDMCDigitalPsychiatry / LAMP-platform

The LAMP Platform (issues and documentation).
https://docs.lamp.digital/
Other
12 stars 10 forks source link

mindLAMP Container Vulnerability #713

Closed ertjlane closed 1 year ago

ertjlane commented 1 year ago

Describe the bug Collaborator description: There is a critical vulnerability in the MindLAMP container that needs to be addressed ASAP. The vulnerability is with a node.js dependency. To fix this, you will have to switch to node.js version 18, rebuild container, and test the application.

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐

│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │

├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤

│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1n-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │

│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097

├──────────────┤ │ │ │ │ │

│ libssl1.1 │ │ │ │ │ │

│ │ │ │ │ │ │

├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤

│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │

│ │ │ │ │ │ in inflate.c via a... │

│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434

└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

2022-10-12T18:46:22.319Z [34mINFO[0m Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

==================

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐

│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │

├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤

│ got (package.json) │ CVE-2022-33987 │ MEDIUM │ 9.6.0 │ 11.8.5, 12.1.0 │ nodejs-got: missing verification of requested URLs allows │

│ │ │ │ │ │ redirects to UNIX sockets │

│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-33987

├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤

│ moment (package.json) │ CVE-2022-31129 │ HIGH │ 2.29.3 │ 2.29.4 │ moment: inefficient parsing algorithm resulting in DoS │

│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31129

├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤

│ moment-timezone (package.json) │ GHSA-v78c-4p63-2j6c │ MEDIUM │ 0.5.34 │ 0.5.35 │ Cleartext Transmission of Sensitive Information in │

│ │ │ │ │ │ moment-timezone │

│ │ │ │ │ │ https://github.com/advisories/GHSA-v78c-4p63-2j6c

│ ├─────────────────────┼──────────┤ │ ├───────────────────────────────────────────────────────────┤

│ │ GHSA-56x4-j7p9-fcf9 │ LOW │ │ │ Command Injection in moment-timezone │

│ │ │ │ │ │ https://github.com/advisories/GHSA-56x4-j7p9-fcf9

├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤

│ npm (package.json) │ CVE-2022-29244 │ HIGH │ 8.5.5 │ 8.11.0 │ nodejs: npm pack ignores root-level .gitignore and │

│ │ │ │ │ │ .npmignore file exclusion directives when... │

│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29244

└────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

falmeida-orangeloops commented 1 year ago

Noted!

falmeida-orangeloops commented 1 year ago

@ertjlane Hi, I understand this issue refers to the server container and not the dashboard container. Is that correct?

ertjlane commented 1 year ago

@avaidyam can verify but I believe so, yes.

falmeida-orangeloops commented 1 year ago

Hey @avaidyam, can I assume this is about the server container?

avaidyam commented 1 year ago

@falmeida-orangeloops I believe so!

falmeida-orangeloops commented 1 year ago

@ertjlane this has been fixed by BIDMCDigitalPsychiatry/LAMP-server#215 and BIDMCDigitalPsychiatry/LAMP-server#216

ertjlane commented 1 year ago

Excellent!