AdrienFromToulouse
commented
1 week ago Just noticed that https://github.com/Unleash/unleash-proxy/pull/195 is in fact also addressing part of the CVE above.
Open AdrienFromToulouse opened 1 week ago
AdrienFromToulouse
commented
1 week ago Just noticed that https://github.com/Unleash/unleash-proxy/pull/195 is in fact also addressing part of the CVE above.
chriswk
commented
2 days ago Hi @AdrienFromToulouse - we've merged the PR bumping express to 4.21 and openapi to upstream from wesleytodd, from the CVE, it now looks like we're using a new enough version. I'll cut a patch release of the proxy
chriswk
commented
2 days ago 1.4.7 is now out, updated to upstream openapi and express 4.21, which from my quick check using yarn why on the dependencies marked in the CVE's mentioned here are all patched. Can you confirm, and preferably close this issue?
AdrienFromToulouse
commented
1 day ago 1.4.7 is now out, updated to upstream openapi and express 4.21, which from my quick check using
yarn whyon the dependencies marked in the CVE's mentioned here are all patched. Can you confirm, and preferably close this issue?
@chriswk thank you so much for your help! will deploy asap.
AdrienFromToulouse
commented
1 day ago I think those are the only CVE left:
chriswk
commented
6 hours ago That's odd, https://github.com/advisories/GHSA-qw6h-vgh9-j6wx says < 4.20, and we just upgraded express to 4.21 for the path-to-regexp vuln I've made https://github.com/Unleash/unleash-proxy/pull/198 to deal with it
AdrienFromToulouse
commented
6 hours ago CVE-2024-43796
Agreed it is strange, however it still appears on their repo too, so I guess there might be something missing on their end: https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
this issue is patched in express 4.20.0
We run the latest docker image though... Will triple check on my end.
AdrienFromToulouse
commented
6 hours ago That's very strange, the image looks indeed all good according to docker scout (docker scout cves unleashorg/unleash-proxy:v1.4.7), however google cloud vulnerability detectors still detect express as not being patched.... Forget about it, I guess Express is just fine, GCP may "wrongly" detect the express version based on the /security/advisories/ of their repo that is not closed.
## Overview
│ Analyzed Image
────────────────────┼────────────────────────────────────────────────────────────────────────────────────────
Target │ unleashorg/unleash-proxy:v1.4.7
digest │ 6854aad248e0
platform │ linux/arm64
provenance │ https://github.com/Unleash/unleash-proxy.git#bee96e0cca64406c469d691225db8db11f260bf9
│ https://github.com/Unleash/unleash-proxy/blob/bee96e0cca64406c469d691225db8db11f260bf9
vulnerabilities │ 0C 1H 0M 0L
size │ 67 MB
packages │ 228
│
Base image │ node:20-alpine
│ 2d07db07a2df
## Packages and Vulnerabilities
0C 1H 0M 0L path-to-regexp 0.1.7
pkg:npm/path-to-regexp@0.1.7
https://github.com/Unleash/unleash-proxy/blob/bee96e0cca64406c469d691225db8db11f260bf9/Dockerfile#L33-L33
RUN chown -R node:node /unleash-proxy
✗ HIGH CVE-2024-45296 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2024-45296?s=github&n=path-to-regexp&t=npm&vr=%3C0.1.10
Affected range : <0.1.10
Fixed version : 0.1.10
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1 vulnerability found in 1 package
LOW 0
MEDIUM 0
HIGH 1
CRITICAL 0
Describe the bug
Hi there,
multiple CVEs with fix are available:
CVE-2024-43800 CVE-2024-43796 CVE-2024-43799 CVE-2024-45296
Would you mind upgrading the docker image? 🙏
Cheers,
Steps to reproduce the bug
No response
Expected behavior
No response
Logs, error output, etc.
No response
Screenshots
No response
Additional context
No response
Unleash version
v1.4.6
Subscription type
Pro
Hosting type
Self-hosted
SDK information (language and version)
No response