search

nginxinc / docker-nginx-unprivileged

Unprivileged NGINX Dockerfiles
https://hub.docker.com/r/nginxinc/nginx-unprivileged
Apache License 2.0
376 stars 151 forks source link

Security Issues with Nginx (1.21.1-alpine) #73

Closed shahiinn closed 2 years ago

shahiinn commented 3 years ago

On scanning the latest version of Nginx (1.21.1-alpine) against JFrog Xray we could see there are multiple security issues.


   "total_count": 12,
   "data": [
      {
         "id": "",
         "severity": "Critical",
         "severity_source": "CVSS V3 from RBS",
         "summary": "Libxslt transform.c xsltApplyTemplates() Function Node Deletion Use-after-free Arbitrary Code Execution",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libxslt",
         "source_id": "alpine://3.14:libxslt",
         "source_comp_id": "alpine://3.14:libxslt:1.1.34-r1",
         "component_versions": {
            "id": "3.14:libxslt",
            "vulnerable_versions": [
               "≤ 1.1.34-r1"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "9.3/CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C",
                     "cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                  },
                  {
                     "cve": "CVE-2021-30560"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Critical",
         "severity_source": "CVSS V3 from RBS",
         "summary": "FreeType psaux/psintrp.c cf2_interpT2CharString() Function Integer Underflow Unspecified Issue",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:freetype",
         "source_id": "alpine://3.14:freetype",
         "source_comp_id": "alpine://3.14:freetype:2.10.4-r1",
         "component_versions": {
            "id": "3.14:freetype",
            "vulnerable_versions": [
               "≤ 2.10.4-r1"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "9.3/CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C",
                     "cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-23T09:27:13Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl Metalink Feature Download Handling Remote Credential Disclosure Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libcurl",
         "source_id": "alpine://3.14:libcurl",
         "source_comp_id": "alpine://3.14:libcurl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:libcurl",
            "vulnerable_versions": [
               "7.46.0-r2 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "8.6/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
                  },
                  {
                     "cve": "CVE-2021-22923"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl Metalink Feature Download Handling Remote Credential Disclosure Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:curl",
         "source_id": "alpine://3.14:curl",
         "source_comp_id": "alpine://3.14:curl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:curl",
            "vulnerable_versions": [
               "7.27.0-r0 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "4.3/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "8.6/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
                  },
                  {
                     "cve": "CVE-2021-22923"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "Google WebP (libwebp) mux/anim_encode.c WebPAnimEncoderAdd() Function GIF Image Handling Out-of-bounds Read Issue",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libwebp",
         "source_id": "alpine://3.14:libwebp",
         "source_comp_id": "alpine://3.14:libwebp:1.2.0-r2",
         "component_versions": {
            "id": "3.14:libwebp",
            "vulnerable_versions": [
               "≤ 1.2.0-r2"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "7.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:C",
                     "cvss_v3": "8.2/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-02T09:26:14Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "Google WebP (libwebp) utils/rescaler_utils.c WebPRescalerInit() Function Integer Overflow Buffer Overflow DoS",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libwebp",
         "source_id": "alpine://3.14:libwebp",
         "source_comp_id": "alpine://3.14:libwebp:1.2.0-r2",
         "component_versions": {
            "id": "3.14:libwebp",
            "vulnerable_versions": [
               "≤ 1.2.0-r2"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "7.1/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C",
                     "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-02T09:26:14Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "FreeType psaux/psintrp.c cf2_interpT2CharString() Function Integer Underflow Out-of-bounds Access DoS",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:freetype",
         "source_id": "alpine://3.14:freetype",
         "source_comp_id": "alpine://3.14:freetype:2.10.4-r1",
         "component_versions": {
            "id": "3.14:freetype",
            "vulnerable_versions": [
               "≤ 2.10.4-r1"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "7.1/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C",
                     "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-19T09:27:14Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "High",
         "severity_source": "CVSS V3 from RBS",
         "summary": "FreeType psnames/psmodule.c ps_unicodes_init() Function Empty Glyph Name Handling Out-of-bounds Read Issue",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:freetype",
         "source_id": "alpine://3.14:freetype",
         "source_comp_id": "alpine://3.14:freetype:2.10.4-r1",
         "component_versions": {
            "id": "3.14:freetype",
            "vulnerable_versions": [
               "≤ 2.10.4-r1"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "7.8/AV:N/AC:M/Au:N/C:P/I:N/A:C",
                     "cvss_v3": "8.2/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-19T09:27:14Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Medium",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/vtls/vtls.c Curl_ssl_config_matches() Function Improper Path Name Check Connection Reuse Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libcurl",
         "source_id": "alpine://3.14:libcurl",
         "source_comp_id": "alpine://3.14:libcurl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:libcurl",
            "vulnerable_versions": [
               "7.46.0-r2 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "6.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
                  },
                  {
                     "cve": "CVE-2021-22924"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Medium",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/vtls/vtls.c Curl_ssl_config_matches() Function Improper Path Name Check Connection Reuse Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:curl",
         "source_id": "alpine://3.14:curl",
         "source_comp_id": "alpine://3.14:curl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:curl",
            "vulnerable_versions": [
               "7.19.2-r0 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "6.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
                  },
                  {
                     "cve": "CVE-2021-22924"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Medium",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl Metalink Feature Content Download Improper Hash Mismatch Handling Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:curl",
         "source_id": "alpine://3.14:curl",
         "source_comp_id": "alpine://3.14:curl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:curl",
            "vulnerable_versions": [
               "7.27.0-r0 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
                  },
                  {
                     "cve": "CVE-2021-22922"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Medium",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl Metalink Feature Content Download Improper Hash Mismatch Handling Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libcurl",
         "source_id": "alpine://3.14:libcurl",
         "source_comp_id": "alpine://3.14:libcurl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:libcurl",
            "vulnerable_versions": [
               "7.46.0-r2 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
                  },
                  {
                     "cve": "CVE-2021-22922"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-28T09:27:10Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Low",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/telnet.c suboption() Function telnet Handshake Uninitialized Memory Disclosure",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:curl",
         "source_id": "alpine://3.14:curl",
         "source_comp_id": "alpine://3.14:curl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:curl",
            "vulnerable_versions": [
               "7.19.2-r0 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
                  },
                  {
                     "cve": "CVE-2021-22898",
                     "cwe": [
                        "CWE-909"
                     ],
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-27T09:27:12Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Low",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/telnet.c suboption() Function telnet Handshake Uninitialized Memory Disclosure",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libcurl",
         "source_id": "alpine://3.14:libcurl",
         "source_comp_id": "alpine://3.14:libcurl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:libcurl",
            "vulnerable_versions": [
               "7.46.0-r2 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
                  },
                  {
                     "cve": "CVE-2021-22898",
                     "cwe": [
                        "CWE-909"
                     ],
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N",
                     "cvss_v3": "3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-27T09:27:12Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Low",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/vtls/sectransp.c sectransp_connect_step1() Function Client Certificate Confusion Local Issue",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:curl",
         "source_id": "alpine://3.14:curl",
         "source_comp_id": "alpine://3.14:curl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:curl",
            "vulnerable_versions": [
               "7.33.0-r0 ≤ Version < 7.78.0-r0"
            ],
            "fixed_versions": [
               "7.78.0-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
                  },
                  {
                     "cve": "CVE-2021-22926"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-27T09:27:12Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Low",
         "severity_source": "CVSS V3 from RBS",
         "summary": "cURL / libcurl lib/vtls/sectransp.c sectransp_connect_step1() Function Client Certificate Confusion Local Issue",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:libcurl",
         "source_id": "alpine://3.14:libcurl",
         "source_comp_id": "alpine://3.14:libcurl:7.77.0-r1",
         "component_versions": {
            "id": "3.14:libcurl",
            "vulnerable_versions": [
               "7.46.0-r2 ≤ Version ≤ 7.77.0-r1"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "2.6/CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N",
                     "cvss_v3": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
                  },
                  {
                     "cve": "CVE-2021-22926"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-27T09:27:12Z",
         "is_source_root": false
      },
      {
         "id": "",
         "severity": "Unknown",
         "severity_source": "CVSS V3 from RBS",
         "summary": "Perl-Compatible Regular Expressions (PCRE) Regular Expression Handling Memory Consumption DoS Weakness",
         "issue_type": "security",
         "provider": "JFrog",
         "component": "3.14:pcre",
         "source_id": "alpine://3.14:pcre",
         "source_comp_id": "alpine://3.14:pcre:8.44-r0",
         "component_versions": {
            "id": "3.14:pcre",
            "vulnerable_versions": [
               "8.43-r0 ≤ Version ≤ 8.44-r0"
            ],
            "more_details": {
               "cves": [
                  {
                     "cvss_v2": "0.0/AV:N/AC:M/Au:N/C:N/I:N/A:N",
                     "cvss_v3": "0.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
                  }
               ],
               "provider": "JFrog"
            }
         },
         "edited": "2021-07-19T09:27:01Z",
         "is_source_root": false
      }
   ]
}```

Can you please have a look into the issues and provide an update.
alessfg commented 3 years ago

Couple things: 1) In the future, could you edit the code blocks so that they can be human readable? 2) None of the packages listed here are actually used by the image. curl is installed for ease of use for people using the image, but you can always extend the image and update curl if you want to make sure that you are using the latest up to date version of the package.

alessfg commented 2 years ago

New images are live! Sadly, it looks like curl did not get updated based on the issue you opened in the upstream docker-nginx repository. I'll rebuild the images when/if it gets updated in the near future.