Closed dvasilen closed 1 year ago
We observer similar issues using trivy (similar check to https://github.com/rstudio/shiny-server/issues/519):
Here I include only HIGH
or CRITICAL
issues, these are all coming from nodejs
Node.js (node-pkg)
==================
Total: 17 (MEDIUM: 8, HIGH: 5, CRITICAL: 4)
┌─────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json) │ CVE-2021-3807 │ HIGH │ 3.0.0 │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service │
│ │ │ │ │ │ (ReDoS) matching ANSI escape codes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3807 │
│ │ │ ├───────────────────┤ │ │
│ │ │ │ 4.1.0 │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ eventsource (package.json) │ CVE-2022-1650 │ CRITICAL │ 1.1.0 │ 2.0.2, 1.1.1 │ eventsource: Exposure of Sensitive Information │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1650 │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ follow-redirects (package.json) │ CVE-2022-0155 │ HIGH │ 1.11.0 │ 1.14.7 │ follow-redirects: Exposure of Private Personal Information │
│ │ │ │ │ │ to an Unauthorized Actor │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0155 │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ json-schema (package.json) │ CVE-2021-3918 │ CRITICAL │ 0.2.3 │ 0.4.0 │ nodejs-json-schema: Prototype pollution vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3918 │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ minimist (package.json) │ CVE-2021-44906 │ CRITICAL │ 1.2.5 │ 1.2.6 │ minimist: prototype pollution │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44906 │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ moment (package.json) │ CVE-2022-24785 │ HIGH │ 2.29.1 │ 2.29.2 │ Moment.js: Path traversal in moment.locale │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24785 │
│ ├────────────────┤ │ ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31129 │ │ │ 2.29.4 │ moment: inefficient parsing algorithim resulting in DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31129 │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ url-parse (package.json) │ CVE-2022-0686 │ CRITICAL │ 1.5.3 │ 1.5.8 │ npm-url-parse: Authorization bypass through user-controlled │
│ │ │ │ │ │ key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0686 │ │
└─────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────────┘
Maybe a noidejs version bump to 16.16.0 LTS already fixes those?
I'm so sorry I didn't see this earlier--we just released a new version today but I can't immediately tell you if these are fixed in that build either. I'll deal with these as soon as possible.
Thankyou @jcheng5 !
The new version has less vulnerabilties detected:
Node.js (node-pkg)
==================
Total: 9 (MEDIUM: 2, HIGH: 4, CRITICAL: 2)
2022-08-07T23:16:09.144+0200 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
┌────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ ansi-regex (package.json) │ CVE-2021-3807 │ HIGH │ 3.0.0 │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service │
│ │ │ │ │ │ (ReDoS) matching ANSI escape codes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3807 │
│ │ │ ├───────────────────┤ │ │
│ │ │ │ 5.0.0 │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ eventsource (package.json) │ CVE-2022-1650 │ CRITICAL │ 1.1.0 │ 2.0.2, 1.1.1 │ eventsource: Exposure of Sensitive Information │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1650 │
├────────────────────────────┼────────────────┤ ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ minimist (package.json) │ CVE-2021-44906 │ │ 1.2.5 │ 1.2.6 │ minimist: prototype pollution │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44906 │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ moment (package.json) │ CVE-2022-24785 │ HIGH │ 2.29.1 │ 2.29.2 │ Moment.js: Path traversal in moment.locale │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24785 │
│ ├────────────────┤ │ ├────────────────────────────┼─────────────────────────────────────────────────────────┤
│ │ CVE-2022-31129 │ │ │ 2.29.4 │ moment: inefficient parsing algorithim resulting in DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31129 │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ npm (package.json) │ CVE-2022-29244 │ HIGH │ 8.3.1 │ 8.11.0 │ nodejs: npm pack ignores root-level .gitignore and │
│ │ │ │ │ │ .npmignore file exclusion directives when... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29244 │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
moment
can be fixed directly here: https://github.com/rstudio/shiny-server/blob/master/package.json#L28
Not sure about the others... eventsource is coming from sockjs-client? Which again is from github:jcheng5/sockjs-client#v1.5.2.2-jcheng5
?
@jcheng5 Any news on this? I could apply the solution from https://github.com/rstudio/shiny-server/issues/519#issuecomment-1242488576 (=drop npm as it's only a build-dep & Fix vulnerabilities if high or critical.), but that's quite a bit and should be fixed upstream, or?
Shiny Server 1.5.20 is out now. Sorry for the long delay, lots of incidental problems getting this release out. https://posit.co/download/shiny-server/
As of today (July 22, 2022) there are a number of high and medium security vulnerabilities in the latest Shiny Server
1.5.18.987
released on April 20, 2022. Some of them can be traced to the custom build of forkedsockjs-client
(github:jcheng5/sockjs-client#v1.5.2.2-jcheng5) which is packaged with the Shiny Server. The fork was built of1.5.2
and the latest version is sockjs-client1.6.1
with a number of vulnerabilities addressed.Is the new version of the Shiny Server to address these and other vulnerabilities being planned? Any ETA is appreciated.
//cc @jcheng5