search

jitsi / docker-jitsi-meet

Jitsi Meet on Docker
https://hub.docker.com/u/jitsi/
Apache License 2.0
3.09k stars 1.37k forks source link

High Severity Vulnerabilities found by Snyk in jitsi/web:latest image #732

Open prayagsingh opened 4 years ago

prayagsingh commented 4 years ago

About Snyk: Snyk checks for Common Vulnerabilities and Exposures(CVE) in a docker image.

Recently Docker added Snyk support to Docker for Windows(Docker Desktop) in the latest release. I tested jitsi/web:latest image using Snyk and it reported few vulnerabilities. It divided the vulnerabilities into two parts and provided some suggestions.

  1. Issues to fix by upgrading
  2. Patchable issues

Below is the snippet of the result of Snyk with some suggested fixes

Organization:      undefined
Package manager:   deb
Project name:      docker-image|jitsi/web
Docker image:      jitsi/web:latest

Tested 224 dependencies for known vulnerabilities, found 325 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

-------------------------------------------------------

Testing jitsi/web:latest...

Tested 1038 dependencies for known vulnerabilities, found 14 vulnerabilities.

Issues to fix by upgrading:

  Upgrade i18next@17.0.6 to i18next@19.6.0 to fix
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-I18NEXT-585930] in i18next@17.0.6
  ✗ Buffer Overflow [Medium Severity][https://snyk.io/vuln/SNYK-JS-I18NEXT-575536] in i18next@17.0.6

  Upgrade lodash@4.17.13 to lodash@4.17.20 to fix
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in lodash@4.17.15
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > @babel/generator@7.1.2 > lodash@4.17.15 and 35 other path(s)
  ✗ Prototype Pollution (new) [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-590103] in lodash@4.17.15
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > @babel/generator@7.1.2 > lodash@4.17.15 and 35 other path(s)
  ✗ Prototype Pollution (new) [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@4.17.15
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > @babel/generator@7.1.2 > lodash@4.17.15 and 35 other path(s)

Patchable issues:

  Patch available for debug@2.2.0
  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:debug:20170905] in debug@2.2.0
    introduced by amplitude-js@4.5.2 > @segment/top-domain@3.0.0 > component-cookie@1.1.4 > debug@2.2.0

  Patch available for lodash@4.17.15
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in lodash@4.17.15
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > @babel/generator@7.1.2 > lodash@4.17.15 and 35 other path(s)

  Patch available for ms@0.7.1
  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:ms:20170412] in ms@0.7.1
    introduced by amplitude-js@4.5.2 > @segment/top-domain@3.0.0 > component-cookie@1.1.4 > debug@2.2.0 > ms@0.7.1

Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-HERMESENGINE-608850] in hermes-engine@0.2.1
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > hermes-engine@0.2.1

  Introduced through: nginx/nginx-extras@1.10.3-1+deb9u5
  From: nginx/nginx-extras@1.10.3-1+deb9u5 > nginx/libnginx-mod-http-image-filter@1.10.3-1+deb9u5 > libgd2/libgd3@2.2.4-2+deb9u5 > tiff/libtiff5@4.0.8-2+deb9u5

✗ Low severity vulnerability found in tiff/libtiff5
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TIFF-405476
  Introduced through: nginx/nginx-extras@1.10.3-1+deb9u5
  From: nginx/nginx-extras@1.10.3-1+deb9u5 > nginx/libnginx-mod-http-image-filter@1.10.3-1+deb9u5 > libgd2/libgd3@2.2.4-2+deb9u5 > tiff/libtiff5@4.0.8-2+deb9u5

✗ Low severity vulnerability found in tiff/libtiff5
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TIFF-405857
  Introduced through: nginx/nginx-extras@1.10.3-1+deb9u5
  From: nginx/nginx-extras@1.10.3-1+deb9u5 > nginx/libnginx-mod-http-image-filter@1.10.3-1+deb9u5 > libgd2/libgd3@2.2.4-2+deb9u5 > tiff/libtiff5@4.0.8-2+deb9u5

✗ Low severity vulnerability found in tiff/libtiff5
  Description: Resource Management Errors
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TIFF-406147
  Introduced through: nginx/nginx-extras@1.10.3-1+deb9u5
  From: nginx/nginx-extras@1.10.3-1+deb9u5 > nginx/libnginx-mod-http-image-filter@1.10.3-1+deb9u5 > libgd2/libgd3@2.2.4-2+deb9u5 > tiff/libtiff5@4.0.8-2+deb9u5

✗ Low severity vulnerability found in tiff/libtiff5
  Description: Memory Leak
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TIFF-406359
  Introduced through: nginx/nginx-extras@1.10.3-1+deb9u5
  From: nginx/nginx-extras@1.10.3-1+deb9u5 > nginx/libnginx-mod-http-image-filter@1.10.3-1+deb9u5 > libgd2/libgd3@2.2.4-2+deb9u5 > tiff/libtiff5@4.0.8-2+deb9u5

✗ Low severity vulnerability found in tar
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312293
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.29b-1.1

✗ Low severity vulnerability found in tar
  Description: CVE-2005-2541
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TAR-312330
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.29b-1.1

✗ Low severity vulnerability found in tar
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-DEBIAN9-TAR-341215
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.29b-1.1

                                                                                                                                                                                              64,1           1%   No upgrade or patch available
  ✗ Information Exposure [Low Severity][https://snyk.io/vuln/SNYK-JS-KINDOF-537849] in kind-of@6.0.2
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > jest-haste-map@24.9.0 > anymatch@2.0.0 > micromatch@3.1.10 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > define-property@1.0.0 > is-descriptor@1.0.2 > kind-of@6.0.2 and 2 other path(s)
  This issue was fixed in versions: 6.0.3
  ✗ Remote Code Execution (RCE) [High Severity][https://snyk.io/vuln/SNYK-JS-LOGKITTY-568763] in logkitty@0.6.1
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli-platform-android@3.1.4 > logkitty@0.6.1
  This issue was fixed in versions: 0.7.1 
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@1.2.0
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > jest-haste-map@24.9.0 > fsevents@1.2.9 > node-pre-gyp@0.12.0 > mkdirp@0.5.1 > minimist@0.0.8 and 1 other path(s)
  This issue was fixed in versions: 0.2.1, 1.2.3
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381] in yargs-parser@11.1.1
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > metro-inspector-proxy@0.56.4 > yargs@9.0.1 > yargs-parser@7.0.0 and 1 other path(s)
  This issue was fixed in versions: 5.0.0-security.0, 13.1.2, 15.0.1, 18.1.1
  ✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/npm:mem:20180117] in mem@1.1.0
    introduced by react-native@github:jitsi/react-native#efd2aff5661d75a230e36406b698cfe0ee545be2 > @react-native-community/cli@3.2.0 > metro@0.56.4 > metro-inspector-proxy@0.56.4 > yargs@9.0.1 > os-locale@2.1.0 > mem@1.1.0
  This issue was fixed in versions: 4.0.0
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/npm:ua-parser-js:20180227] in ua-parser-js@0.7.17
    introduced by @atlaskit/theme@7.0.2 > prop-types@15.6.0 > fbjs@0.8.16 > ua-parser-js@0.7.17 and 22 other path(s)
  This issue was fixed in versions: 0.7.18

Organization:      undefined
Package manager:   npm
Target file:       /usr/share/jitsi-meet/package.json
Project name:      jitsi-meet
Docker image:      jitsi/web:latest

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

Tested 2 projects, 2 contained vulnerable paths.

How to reproduce

  1. Update Docker Desktop to latest edge version i.e 2.3.6.0 (47622) and channel edge on Mac or Windows
  2. Now use command docker scan jitsi/web:latest.
prayagsingh commented 4 years ago

Complete logs

jitsi_vuln.txt

prayagsingh commented 4 years ago

prosody jitsi_vul_prosody.txt

jicofo jitsi_vul_jicofo.txt

prayagsingh commented 4 years ago

@saghul @sapkra This is a high priority issue. Please take a look. To avoid updating docker setup, you can use aquasecurity/trivy for checking CVE.