nginxinc / docker-nginx-unprivileged

Unprivileged NGINX Dockerfiles
https://hub.docker.com/r/nginxinc/nginx-unprivileged
Apache License 2.0
389 stars 153 forks source link

Vulnerability in the used Node version #233

Closed HassenMaamri closed 3 months ago

HassenMaamri commented 3 months ago

Hello,

In my team we are using an nginxinc docker image: "stable" tag

We ran a security scan and it found the following "HIGH"-risk-classified vulnerability coming from curl:

Information Disclosure (CVE-2023-46218)

The scan suggests that they are fixed in a patched version: 8.5.0. However the installed version is 7.88.1.

I was wondering if it's possible that you update node to the suggested version to solve the vulnerability? Thank you so much

alessfg commented 3 months ago

Hey @HassenMaamri, this is not considered a critical CVE per https://github.com/nginxinc/docker-nginx-unprivileged#on-reporting-issues and https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md, so the images will be rebuilt next Monday and assuming there's a fix by then, the image will be patched.

I will also add that if you actually read the CVE details (https://nvd.nist.gov/vuln/detail/CVE-2023-46218) you will see that the CVE is undergoing reanalysis so it might not even be considered a CVE anymore once the reanalysis is concluded.