search

bitnami / containers

Bitnami container images
https://bitnami.com
Other
3.41k stars 4.87k forks source link

[bitnami/discourse] CVEs in bitnami/discourse:2.8.8 #10072

Closed lju-lazarevic closed 2 years ago

lju-lazarevic commented 2 years ago

Name and Version

bitnami/discourse:2.8.8

What steps will reproduce the bug?

There are a number of CVEs in this version of the image. I have spoken to Discourse and they say they resolved these quite a while back. Please use Trivy container image scanner to replicate. If there's an email, I can provide more details. Thanks in advance.

What is the expected behavior?

No response

What do you see instead?

CVEs

Additional information

No response

carrodher commented 2 years ago

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.

Using the latest version (2.8.9) there is not any fixable CVE related to system packages:

$ trivy image --ignore-unfixed --vuln-type os bitnami/discourse:2.8.9
2022-10-13T21:49:17.305Z    INFO    Vulnerability scanning is enabled
2022-10-13T21:49:17.305Z    INFO    Secret scanning is enabled
2022-10-13T21:49:17.305Z    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-13T21:49:17.305Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-13T21:49:50.373Z    INFO    Detected OS: debian
2022-10-13T21:49:50.373Z    INFO    Detecting Debian vulnerabilities...

bitnami/discourse:2.8.9 (debian 11.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Regarding system packages, please note the Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.

Running the same scanner for all the vulnerability kinds, we see there are some CVEs reported in directories included by the application itself or third party software (such as gosu). In that case, from Bitnami we are bundling the latest versions provided by the upstream projects, I recommend you to fill an issue there with that information:

$ trivy image --ignore-unfixed bitnami/discourse:2.8.9
2022-10-13T21:52:44.236Z    INFO    Vulnerability scanning is enabled
2022-10-13T21:52:44.237Z    INFO    Secret scanning is enabled
2022-10-13T21:52:44.237Z    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-13T21:52:44.237Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-13T21:52:44.449Z    INFO    Detected OS: debian
2022-10-13T21:52:44.449Z    INFO    Detecting Debian vulnerabilities...
2022-10-13T21:52:44.499Z    INFO    Number of language-specific files: 7
2022-10-13T21:52:44.499Z    INFO    Detecting cargo vulnerabilities...
2022-10-13T21:52:44.500Z    INFO    Detecting gobinary vulnerabilities...
2022-10-13T21:52:44.500Z    INFO    Detecting node-pkg vulnerabilities...
2022-10-13T21:52:44.508Z    INFO    Detecting python-pkg vulnerabilities...
2022-10-13T21:52:44.509Z    INFO    Detecting gemspec vulnerabilities...

bitnami/discourse:2.8.9 (debian 11.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2022-10-13T21:52:44.534Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌───────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬───────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability  │ Severity │ Installed Version │       Fixed Version        │                           Title                           │
├───────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ ansi-regex (package.json) │ CVE-2021-3807  │ HIGH     │ 3.0.0             │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service   │
│                           │                │          │                   │                            │ (ReDoS) matching ANSI escape codes                        │
│                           │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                 │
│                           │                │          ├───────────────────┤                            │                                                           │
│                           │                │          │ 4.1.0             │                            │                                                           │
│                           │                │          │                   │                            │                                                           │
│                           │                │          │                   │                            │                                                           │
├───────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼───────────────────────────────────────────────────────────┤
│ got (package.json)        │ CVE-2022-33987 │ MEDIUM   │ 6.7.1             │ 11.8.5, 12.1.0             │ nodejs-got: missing verification of requested URLs allows │
│                           │                │          │                   │                            │ redirects to UNIX sockets                                 │
│                           │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-33987                │
└───────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────────┴───────────────────────────────────────────────────────────┘
2022-10-13T21:52:44.536Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Ruby (gemspec)

Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 8, CRITICAL: 4)

┌─────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                     Library                     │    Vulnerability    │ Severity │ Installed Version │                     Fixed Version                      │                            Title                             │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bundler (bundler-1.17.3.gemspec)                │ CVE-2019-3881       │ HIGH     │ 1.17.3            │ >= 2.1.0                                               │ rubygem-bundler: Insecure permissions on directory in /tmp/  │
│                                                 │                     │          │                   │                                                        │ allows for execution of malicious...                         │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2019-3881                    │
│                                                 ├─────────────────────┤          │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                 │ CVE-2020-36327      │          │                   │ >= 2.2.18, 2.2.10                                      │ rubygem-bundler: Dependencies of gems with explicit source   │
│                                                 │                     │          │                   │                                                        │ may be installed from a...                                   │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2020-36327                   │
│                                                 ├─────────────────────┼──────────┤                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                 │ CVE-2021-43809      │ MEDIUM   │                   │ >= 2.2.33                                              │ rubygem-bundler: unexpected code execution in Gemfiles       │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2021-43809                   │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ diffy (diffy-3.4.0.gemspec)                     │ CVE-2022-33127      │ CRITICAL │ 3.4.0             │ >= 3.4.1                                               │ rubygem-diffy: remote code execution from user controlled    │
│                                                 │                     │          │                   │                                                        │ diff file paths                                              │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-33127                   │
├─────────────────────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ jmespath (jmespath-1.5.0.gemspec)               │ CVE-2022-32511      │          │ 1.5.0             │ >= 1.6.1                                               │ jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses        │
│                                                 │                     │          │                   │                                                        │ JSON.load in a s...                                          │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-32511                   │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nokogiri (nokogiri-1.13.4-x86_64-linux.gemspec) │ CVE-2022-29181      │ HIGH     │ 1.13.4            │ >= 1.13.6                                              │ rubygem-nokogiri: Improper Handling of Unexpected Data Type  │
│                                                 │                     │          │                   │                                                        │ in Nokogiri                                                  │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-29181                   │
│                                                 ├─────────────────────┤          │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                 │ GHSA-cgx6-hpwq-fhv5 │          │                   │ >= 1.13.5                                              │ Integer Overflow or Wraparound in libxml2 affects Nokogiri   │
│                                                 │                     │          │                   │                                                        │ https://github.com/advisories/GHSA-cgx6-hpwq-fhv5            │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ omniauth (omniauth-1.9.1.gemspec)               │ CVE-2020-36599      │ CRITICAL │ 1.9.1             │ ~> 1.9.2, >= 2.0.0                                     │ lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2    │
│                                                 │                     │          │                   │                                                        │ (and before ...                                              │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2020-36599                   │
│                                                 ├─────────────────────┼──────────┤                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                 │ CVE-2015-9284       │ HIGH     │                   │ >= 2.0.0                                               │ rubygem-omniauth: request phase of the OmniAuth Ruby gem is  │
│                                                 │                     │          │                   │                                                        │ vulnerable to Cross-Site...                                  │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2015-9284                    │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ puma (puma-5.5.2.gemspec)                       │ CVE-2022-24790      │ CRITICAL │ 5.5.2             │ ~> 4.3.12, >= 5.6.4                                    │ puma-5.6.4: http request smuggling vulnerabilities           │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-24790                   │
│                                                 ├─────────────────────┼──────────┤                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                 │ CVE-2022-23634      │ HIGH     │                   │ ~> 4.3.11, >= 5.6.2                                    │ rubygem-puma: rubygem-rails: information leak between        │
│                                                 │                     │          │                   │                                                        │ requests                                                     │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-23634                   │
├─────────────────────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ rack (rack-2.2.3.gemspec)                       │ CVE-2022-30123      │          │ 2.2.3             │ ~> 2.0.9, >= 2.0.9.1, ~> 2.1.4, >= 2.1.4.1, >= 2.2.3.1 │ rubygem-rack: crafted requests can cause shell escape        │
│                                                 │                     │          │                   │                                                        │ sequences                                                    │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-30123                   │
│                                                 ├─────────────────────┼──────────┤                   │                                                        ├──────────────────────────────────────────────────────────────┤
│                                                 │ CVE-2022-30122      │ MEDIUM   │                   │                                                        │ rubygem-rack: crafted multipart POST request may cause a DoS │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-30122                   │
├─────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ sidekiq (sidekiq-6.3.1.gemspec)                 │ CVE-2022-23837      │ HIGH     │ 6.3.1             │ >= 6.4.0, ~> 5.2.10                                    │ sidekiq: WebUI Denial of Service caused by number of days on │
│                                                 │                     │          │                   │                                                        │ graph...                                                     │
│                                                 │                     │          │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2022-23837                   │
└─────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

opt/bitnami/common/bin/gosu (gobinary)

Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162      │ HIGH     │ v1.0.1                             │ v1.1.2                            │ runc: incorrect handling of inheritable capabilities         │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29162                   │
│                                ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2021-43784      │ MEDIUM   │                                    │ 1.1.0                             │ runc: integer overflow in netlink bytemsg length field       │
│                                │                     │          │                                    │                                   │ allows attacker to override...                               │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43784                   │
│                                ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769      │          │                                    │ v1.1.2                            │ moby: Default inheritable capabilities for linux container   │
│                                │                     │          │                                    │                                   │ should be empty                                              │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-24769                   │
│                                ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ GHSA-v95c-p5hm-xq8f │ UNKNOWN  │                                    │ 1.1.0                             │ An attacker with partial control over the bind mount sources │
│                                │                     │          │                                    │                                   │ of a...                                                      │
│                                │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-v95c-p5hm-xq8f            │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys               │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20210817142637-7d9622a276b7 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

opt/bitnami/common/bin/wait-for-port (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                     Title                     │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM   │ v0.0.0-20210510120138-977fb7262007 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526    │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────┘

/opt/bitnami/discourse/spec/requests/webhooks_controller_spec.rb (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Mailgun (mailgun-token)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Mailgun private API token
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /opt/bitnami/discourse/spec/requests/webhooks_controller_spec.rb:19 (added in layer 'c1caa424e8dc')
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  17
  18       before do
  19 [       SiteSetting.mailgun_api_key = "************************************"
  20       end
──────────────────────────────────────────────────

For instance, this is the report obtained from this image that seems to be the base where the image maintained by the upstream project is built from

$ trivy image --ignore-unfixed discourse/base:release
2022-10-13T22:03:35.280Z    INFO    Vulnerability scanning is enabled
2022-10-13T22:03:35.280Z    INFO    Secret scanning is enabled
2022-10-13T22:03:35.280Z    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-13T22:03:35.280Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-13T22:05:52.979Z    INFO    Detected OS: debian
2022-10-13T22:05:52.979Z    INFO    Detecting Debian vulnerabilities...
2022-10-13T22:05:53.038Z    INFO    Number of language-specific files: 9
2022-10-13T22:05:53.038Z    INFO    Detecting cargo vulnerabilities...
2022-10-13T22:05:53.042Z    INFO    Detecting gemspec vulnerabilities...
2022-10-13T22:05:53.055Z    INFO    Detecting node-pkg vulnerabilities...

discourse/base:release (debian 11.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2022-10-13T22:05:53.466Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 25 (UNKNOWN: 0, LOW: 3, MEDIUM: 5, HIGH: 13, CRITICAL: 4)

┌───────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────────┐
│              Library              │    Vulnerability    │ Severity │ Installed Version │       Fixed Version        │                            Title                             │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ansi-html (package.json)          │ CVE-2021-23424      │ HIGH     │ 0.0.7             │ 0.0.8                      │ nodejs-ansi-html: ReDoS via crafted string                   │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23424                   │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)         │ CVE-2021-3807       │          │ 3.0.0             │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service      │
│                                   │                     │          │                   │                            │ (ReDoS) matching ANSI escape codes                           │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                    │
│                                   │                     │          ├───────────────────┤                            │                                                              │
│                                   │                     │          │ 4.1.0             │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
│                                   │                     │          ├───────────────────┤                            │                                                              │
│                                   │                     │          │ 5.0.0             │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ async (package.json)              │ CVE-2021-43138      │          │ 2.6.3             │ 2.6.4, 3.2.2               │ async: Prototype Pollution in async                          │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-43138                   │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ clean-css (package.json)          │ GHSA-wxhq-pm8v-cw75 │ LOW      │ 3.4.28            │ 4.1.11                     │ Regular Expression Denial of Service in clean-css            │
│                                   │                     │          │                   │                            │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ engine.io (package.json)          │ CVE-2020-36048      │ HIGH     │ 3.5.0             │ 3.6.0                      │ yarnpkg-socket.io/engine.io: allows attackers to cause a     │
│                                   │                     │          │                   │                            │ denial of service (resource consumption) via...              │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-36048                   │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ glob-parent (package.json)        │ CVE-2020-28469      │          │ 3.1.0             │ 5.1.2                      │ nodejs-glob-parent: Regular expression denial of service     │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                   │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ markdown-it (package.json)        │ CVE-2022-21670      │ MEDIUM   │ 12.0.4            │ 12.3.2                     │ markdown-it is a Markdown parser. Prior to version 1.3.2,    │
│                                   │                     │          │                   │                            │ special patt ......                                          │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-21670                   │
│                                   │                     │          ├───────────────────┤                            │                                                              │
│                                   │                     │          │ 8.4.2             │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ minimatch (package.json)          │ CVE-2016-10540      │ HIGH     │ 0.2.14            │ 3.0.2                      │ Minimatch is a minimal matching utility that works by        │
│                                   │                     │          │                   │                            │ converting glob ...                                          │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2016-10540                   │
│                                   ├─────────────────────┤          │                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                   │ NSWG-ECO-118        │          │                   │ >=3.0.2                    │ Regular Expression Denial of Service                         │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ minimist (package.json)           │ CVE-2021-44906      │ CRITICAL │ 0.2.1             │ 1.2.6                      │ minimist: prototype pollution                                │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-44906                   │
│                                   │                     │          ├───────────────────┤                            │                                                              │
│                                   │                     │          │ 1.2.5             │                            │                                                              │
│                                   │                     │          │                   │                            │                                                              │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ moment-timezone (package.json)    │ GHSA-v78c-4p63-2j6c │ MEDIUM   │ 0.5.31            │ 0.5.35                     │ Cleartext Transmission of Sensitive Information in           │
│                                   │                     │          │                   │                            │ moment-timezone                                              │
│                                   │                     │          │                   │                            │ https://github.com/advisories/GHSA-v78c-4p63-2j6c            │
│                                   ├─────────────────────┼──────────┤                   │                            ├──────────────────────────────────────────────────────────────┤
│                                   │ GHSA-56x4-j7p9-fcf9 │ LOW      │                   │                            │ Command Injection in moment-timezone                         │
│                                   │                     │          │                   │                            │ https://github.com/advisories/GHSA-56x4-j7p9-fcf9            │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ node-fetch (package.json)         │ CVE-2022-0235       │ HIGH     │ 2.6.6             │ 2.6.7, 3.1.1               │ node-fetch: exposure of sensitive information to an          │
│                                   │                     │          │                   │                            │ unauthorized actor                                           │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-0235                    │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ terser (package.json)             │ CVE-2022-25858      │          │ 5.10.0            │ 5.14.2, 4.8.1              │ terser: insecure use of regular expressions leads to ReDoS   │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25858                   │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ tmpl (package.json)               │ CVE-2021-3777       │          │ 1.0.4             │ 1.0.5                      │ tmpl vulnerable to Inefficient Regular Expression Complexity │
│                                   │                     │          │                   │                            │ which may lead to resource...                                │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3777                    │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ underscore (package.json)         │ CVE-2021-23358      │ CRITICAL │ 1.3.3             │ 1.12.1                     │ nodejs-underscore: Arbitrary code execution via the template │
│                                   │                     │          │                   │                            │ function                                                     │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-23358                   │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ws (package.json)                 │ CVE-2021-32640      │ MEDIUM   │ 7.4.4             │ 5.2.3, 6.2.2, 7.4.6        │ nodejs-ws: Specially crafted value of the                    │
│                                   │                     │          │                   │                            │ `Sec-Websocket-Protocol` header can be used to...            │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-32640                   │
├───────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ xmldom (package.json)             │ CVE-2021-32796      │          │ 0.1.31            │ 0.7.0                      │ nodejs-xmldom: misinterpretation of malicious XML input      │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-32796                   │
│                                   ├─────────────────────┼──────────┤                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                   │ CVE-2021-21366      │ LOW      │                   │ 0.5.0                      │ xmldom is a pure JavaScript W3C standard-based (XML DOM      │
│                                   │                     │          │                   │                            │ Level 2 Core)...                                             │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-21366                   │
├───────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ xmlhttprequest-ssl (package.json) │ CVE-2021-31597      │ CRITICAL │ 1.5.5             │ 1.6.1                      │ xmlhttprequest-ssl: SSL certificate validation disabled by   │
│                                   │                     │          │                   │                            │ default                                                      │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-31597                   │
│                                   ├─────────────────────┼──────────┤                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                   │ CVE-2020-28502      │ HIGH     │                   │ 1.6.2                      │ nodejs-xmlhttprequest: Code injection through user input to  │
│                                   │                     │          │                   │                            │ xhr.send                                                     │
│                                   │                     │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28502                   │
└───────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────────┘
2022-10-13T22:05:53.479Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Ruby (gemspec)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ omniauth (omniauth-1.9.2.gemspec) │ CVE-2015-9284 │ HIGH     │ 1.9.2             │ >= 2.0.0      │ rubygem-omniauth: request phase of the OmniAuth Ruby gem is │
│                                   │               │          │                   │               │ vulnerable to Cross-Site...                                 │
│                                   │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2015-9284                   │
└───────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

var/www/discourse/node_modules/squoosh/codecs/oxipng/Cargo.lock (cargo)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌─────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ crossbeam-deque │ CVE-2021-32810 │ CRITICAL │ 0.8.0             │ 0.7.4, 0.8.1  │ rust-crossbeam-deque: race condition may lead to double free │
│                 │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-32810                   │
├─────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ crossbeam-utils │ CVE-2022-23639 │ HIGH     │ 0.8.1             │ 0.8.7         │ crossbeam-utils provides atomics, synchronization            │
│                 │                │          │                   │               │ primitives, scoped t ...                                     │
│                 │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23639                   │
└─────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

/etc/ssl/private/ssl-cert-snakeoil.key (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /etc/ssl/private/ssl-cert-snakeoil.key:1 (added in layer '81603f5c1b10')
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

/var/www/discourse/spec/requests/webhooks_controller_spec.rb (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Mailgun (mailgun-token)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Mailgun private API token
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /var/www/discourse/spec/requests/webhooks_controller_spec.rb:16 (added in layer '81603f5c1b10')
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  14
  15       before do
  16 [       SiteSetting.mailgun_api_key = "************************************"
  17         ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
lju-lazarevic commented 2 years ago

Thank you for this Carlos

github-actions[bot] commented 2 years ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 2 years ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

lju-lazarevic commented 2 years ago

Hello once more. We've been doing a bit of digging, and it all seems to stem from what version of Ruby that's being imported. The riddle here is that if Ruby 2.7.6 is imported, then most of the critical CVEs go away. But it looks like it's not version 2.7.6 that's being used.

This is rather confusing, given that looking at both the Discourse Docker filie, and the Bitnami one seems to suggest that 2.7.6 is being used - but that's not being reflected in the above output.

carrodher commented 1 year ago

Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22

bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-27561 │          │                   │ v1.1.5        │ runc: volume mount race condition (regression of           │
│                                │                │          │                   │               │ CVE-2019-19921)                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561                 │
│                                ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │ v1.1.2        │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

VS

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23

bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.