search

rstudio / shiny-server

Host Shiny applications over the web.
https://rstudio.com/shiny/server
Other
716 stars 289 forks source link

RStudio Shiny Server 1.5.14.948 vulnerabilities #463

Closed dvasilen closed 3 years ago

dvasilen commented 4 years ago

@jcheng5

The scans for the RStudio Shiny Server 1.5.14.948 show 2 high severity vulnerabilities for the open source components CVE-2020-8116 and CVE-2019-20149.

Are there plans to address these in the new version of the server and what is the ETA?

image

image

jcheng5 commented 3 years ago

Thanks for the report, and sorry for the delay. In the future, for more reliable service you can email security@rstudio.com with vulnerability reports.

We recently released Shiny Server v1.15, which includes Node.js v12.19.0, but it looks like that version doesn't have the fix for the first CVE (I don't understand the second one, the description doesn't match the file in question, and the kind-of package is not part of anything we ship).

Fortunately, these vulnerabilities should not affect Shiny Server; they are subdependencies of npm, which is used only to build our product, not to run it. You can confirm this by deleting the directory /opt/shiny-server/ext/node/lib/node_modules/npm and seeing that the product still works (I've only tested this briefly so I can't recommend doing this in production without doing your own testing).

I've just updated to Node.js v12.20.0 (which has a fixed dot-prop version) on master, look for Shiny Server 1.5.16.955 to appear soon on https://dailies.rstudio.com.