yosifkit
commented
9 months ago 😕 I don't see any of these packages in the image. There definitely aren't any javascript packages installed.
Closed Mari0Strife closed 9 months ago
yosifkit
commented
9 months ago 😕 I don't see any of these packages in the image. There definitely aren't any javascript packages installed.
Mari0Strife
commented
9 months ago ok thanks, but i run alpine doker image and have same vulnerabilities, so, i dont know if fix in this image or is external?
tianon
commented
9 months ago Please do a bit more research into why your tool is reporting these on our image.
https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves is probably relevant/useful
CWE-1333 - The d3-color module provides representations for various color spaces in the browser. d3-color versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service.
CWE-284 - Webpack 5.0.0-alpha.0 through 5.75.0 does not avoid cross-realm object access. ''ImportParserPlugin.js'' mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
CWE-1333 - The package terser before 4.8.1, and 5.0.x before 5.14.2 is vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.