nginx 0.6.x < 1.20.1 1-Byte Memory Overwrite RCE vulnerability

allegroai / clearml-server

ClearML - Auto-Magical CI/CD to streamline your AI workload. Experiment Management, Data Management, Pipeline, Orchestration, Scheduling & Serving in one MLOps/LLMOps solution

https://clear.ml/docs

Other

386 stars 134 forks source link

nginx 0.6.x < 1.20.1 1-Byte Memory Overwrite RCE vulnerability #230

Open lions1988 opened 10 months ago

lions1988 commented 10 months ago

Hey team

Our Nesssus scanners detected the following vulnerability on ClearML containers (apiserver, fileserver and webserver) ClearML versions: WebApp: 1.14.0-431 • Server: 1.14.0-431 • API: 2.28 Nessus plugin: https://www.tenable.com/plugins/nessus/150154 Existing nginx version:

docker exec -ti clearml-apiserver nginx -v
nginx version: nginx/1.18.0

Please advice Thank you

jkhenning commented 10 months ago

Hi @lions1988,

Thanks for bringing it to our attention. We'll upgrade to nginx 1.23 in the upcoming release.

pollfly commented 8 months ago

Hey @lions1988! Just letting you know that this issue has been resolved in the recently released v1.15.0. Let us know if there are any issues :)