search

loft-sh / jspolicy

jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript
https://www.jspolicy.com
Apache License 2.0
367 stars 36 forks source link

Several CVE vulnerabilities in JsPolicy 0.2.2 #130

Open jaredhancock31 opened 3 months ago

jaredhancock31 commented 3 months ago

As part of our image scanning we found that the latest JsPolicy (0.2.2) has several unaddressed CVEs

CVE ID: CVE-2023-26604,CVE-2023-50387 Vulnerabilities in libudev1

CVE-2023-42282 (MITRE NIST) Server-Side Request Forgery (SSRF) Vulnerability in ip 2.0.0 The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

CVE-2022-37434 (MITRE NIST) Out-of-bounds Write Vulnerability in zlib 1.2.11

CVE-2023-45853 (MITRE NIST) Integer Overflow or Wraparound Vulnerability in zlib 1.2.11

CVE-2021-4279 (MITRE NIST) Vulnerability in jsonpatch 2.2.0

CVE-2023-28154 (MITRE NIST) Vulnerability in webpack 5.75.0

abalamilla commented 3 weeks ago

Any updates on this? It looks like the number of vulnerabilities is continuing to increase

pavel-khritonenko commented 1 week ago

Could anyone describe the status of the project? Published chart doesn't work in kubernetes 1.25+, vulnerabilities not fixed etc.