jdonnell01
commented
4 years ago Hello, I see that the image version was recently updated to include the latest version of Shiny Server: https://hub.docker.com/r/rocker/shiny/tags (4.0.0.). I scanned the image and it seems there are still a few High security vulnerabilities. Can these possibly be addressed?
Thank you very much.
{
"artifact": {
"type": "IMAGE",
"id": "rocker/shiny:4.0.0",
"licenses": [],
"rejectReasons": [
{
"type": "VULNERABILITY",
"vulnerability": {
"name": "CVE-2018-13410",
"cvssScoreV2": 7.5,
"cvssScoreV3": 0,
"severity": "high",
"description": "** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands.. Impacted Image File(s): zip"
}
},
{
"type": "VULNERABILITY",
"vulnerability": {
"name": "CVE-2017-13716",
"cvssScoreV2": 7.1,
"cvssScoreV3": 0,
"severity": "high",
"description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).. Impacted Image File(s): binutils"
}
},
{
"type": "VULNERABILITY",
"vulnerability": {
"name": "CVE-2019-18276",
"cvssScoreV2": 7.2,
"cvssScoreV3": 0,
"severity": "high",
"description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.. Impacted Image File(s): bash"
}
},
],
"dependencies": []
},
}
jcheng5
Hello, when I ingested the latest Shiny Server image from DockerHub (https://hub.docker.com/r/rocker/shiny) there were identified security vulnerabilities - please see below. Can these possibly be remediated?
Previous Remediation Issue: https://github.com/rstudio/shiny-server/issues/412
Thank you
{ "file": "/opt/shiny-server/node_modules/minimist/index.js", "name": "CVE-2020-7598", "type": "CVE", "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.", "score": "7.5", "severity": "high", "publishdate": "2020-03-11", "acknowledged": false, "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7598", "score_version": "CVSS v2", "solution": "minimist - 0.2.1,1.2.2", "vendor_name": "", "vendor_severity": "high", "vendor_statement": "", "fix_version": "minimist - 0.2.1,1.2.2" }, { "file": "/usr/lib/python3.7/urllib/request.py", "name": "CVE-2020-8492", "type": "CVE", "description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", "score": "7.1", "severity": "high", "publishdate": "2020-01-30", "acknowledged": false, "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8492", "score_version": "CVSS v2", "solution": "", "vendor_name": "", "vendor_severity": "medium", "vendor_statement": "", "fix_version": "" },