[CVE] (possible?) RCE because of acme.sh - update from 2.9.0 to latest version

[Luka5W]

Bug description

This image/ project is based on acmesh-official/acme.sh which had a CVE with possible RCE 2 days ago, already exploited by the (former) chinese CA 'HiCA' (The issue is very entertaining to read btw :smirk:).

To be sure I've executed:

$ docker exec $container-name cat /app/acme.sh | grep "VER="
VER=2.9.0

I have not tested if a RCE is possible though.

Solution:

1. Check if acme.sh can be updated to the latest version (hotfix, v3.0.6)
   • Shouldn't cause problems. Only v3.0.0 looks like a bigger change - But verify by yourslef.
2. Replace version in the Dockerfile#L6 to download the newer script

That should be all, but I don't know since I'm not involved in this project.

acme-companion image version

Info: running acme-companion version v2.2.8

nginx-proxy's Docker configuration, rendered nginx configuration, Containers logs, Docker host

N/A