search

rstudio / shiny-server

Host Shiny applications over the web.
https://rstudio.com/shiny/server
Other
712 stars 291 forks source link

Security vulnerabilities in the latest Shiny Server 1.5.18.987 #526

Closed dvasilen closed 1 year ago

dvasilen commented 2 years ago

As of today (July 22, 2022) there are a number of high and medium security vulnerabilities in the latest Shiny Server 1.5.18.987 released on April 20, 2022. Some of them can be traced to the custom build of forked sockjs-client (github:jcheng5/sockjs-client#v1.5.2.2-jcheng5) which is packaged with the Shiny Server. The fork was built of 1.5.2 and the latest version is sockjs-client 1.6.1 with a number of vulnerabilities addressed.

Is the new version of the Shiny Server to address these and other vulnerabilities being planned? Any ETA is appreciated.

//cc @jcheng5

eduardszoecs commented 2 years ago

We observer similar issues using trivy (similar check to https://github.com/rstudio/shiny-server/issues/519):

Here I include only HIGH or CRITICAL issues, these are all coming from nodejs

Node.js (node-pkg)
==================
Total: 17 (MEDIUM: 8, HIGH: 5, CRITICAL: 4)
┌─────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────────┐
│             Library             │ Vulnerability  │ Severity │ Installed Version │       Fixed Version        │                            Title                             │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)       │ CVE-2021-3807  │ HIGH     │ 3.0.0             │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service      │
│                                 │                │          │                   │                            │ (ReDoS) matching ANSI escape codes                           │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                    │
│                                 │                │          ├───────────────────┤                            │                                                              │
│                                 │                │          │ 4.1.0             │                            │                                                              │
│                                 │                │          │                   │                            │                                                              │
│                                 │                │          │                   │                            │                                                              │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ eventsource (package.json)      │ CVE-2022-1650  │ CRITICAL │ 1.1.0             │ 2.0.2, 1.1.1               │ eventsource: Exposure of Sensitive Information               │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-1650                    │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ follow-redirects (package.json) │ CVE-2022-0155  │ HIGH     │ 1.11.0            │ 1.14.7                     │ follow-redirects: Exposure of Private Personal Information   │
│                                 │                │          │                   │                            │ to an Unauthorized Actor                                     │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-0155                    │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ json-schema (package.json)      │ CVE-2021-3918  │ CRITICAL │ 0.2.3             │ 0.4.0                      │ nodejs-json-schema: Prototype pollution vulnerability        │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3918                    │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ minimist (package.json)         │ CVE-2021-44906 │ CRITICAL │ 1.2.5             │ 1.2.6                      │ minimist: prototype pollution                                │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-44906                   │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ moment (package.json)           │ CVE-2022-24785 │ HIGH     │ 2.29.1            │ 2.29.2                     │ Moment.js: Path traversal in moment.locale                   │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-24785                   │
│                                 ├────────────────┤          │                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2022-31129 │          │                   │ 2.29.4                     │ moment: inefficient parsing algorithim resulting in DoS      │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-31129                   │
├─────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ url-parse (package.json)        │ CVE-2022-0686  │ CRITICAL │ 1.5.3             │ 1.5.8                      │ npm-url-parse: Authorization bypass through user-controlled  │
│                                 │                │          │                   │                            │ key                                                          │
│                                 │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-0686                    │ │
└─────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────────┘

Maybe a noidejs version bump to 16.16.0 LTS already fixes those?

jcheng5 commented 2 years ago

I'm so sorry I didn't see this earlier--we just released a new version today but I can't immediately tell you if these are fixed in that build either. I'll deal with these as soon as possible.

eduardszoecs commented 1 year ago

Thankyou @jcheng5 !

The new version has less vulnerabilties detected:

Node.js (node-pkg)
==================
Total: 9 (MEDIUM: 2, HIGH: 4, CRITICAL: 2)
2022-08-07T23:16:09.144+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
┌────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬─────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Installed Version │       Fixed Version        │                          Title                          │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)  │ CVE-2021-3807  │ HIGH     │ 3.0.0             │ 3.0.1, 4.1.1, 5.0.1, 6.0.1 │ nodejs-ansi-regex: Regular expression denial of service │
│                            │                │          │                   │                            │ (ReDoS) matching ANSI escape codes                      │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807               │
│                            │                │          ├───────────────────┤                            │                                                         │
│                            │                │          │ 5.0.0             │                            │                                                         │
│                            │                │          │                   │                            │                                                         │
│                            │                │          │                   │                            │                                                         │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ eventsource (package.json) │ CVE-2022-1650  │ CRITICAL │ 1.1.0             │ 2.0.2, 1.1.1               │ eventsource: Exposure of Sensitive Information          │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-1650               │
├────────────────────────────┼────────────────┤          ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ minimist (package.json)    │ CVE-2021-44906 │          │ 1.2.5             │ 1.2.6                      │ minimist: prototype pollution                           │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-44906              │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ moment (package.json)      │ CVE-2022-24785 │ HIGH     │ 2.29.1            │ 2.29.2                     │ Moment.js: Path traversal in moment.locale              │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-24785              │
│                            ├────────────────┤          │                   ├────────────────────────────┼─────────────────────────────────────────────────────────┤
│                            │ CVE-2022-31129 │          │                   │ 2.29.4                     │ moment: inefficient parsing algorithim resulting in DoS │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-31129              │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤
│ npm (package.json)         │ CVE-2022-29244 │ HIGH     │ 8.3.1             │ 8.11.0                     │ nodejs: npm pack ignores root-level .gitignore and      │
│                            │                │          │                   │                            │ .npmignore file exclusion directives when...            │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-29244              │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────┤

moment can be fixed directly here: https://github.com/rstudio/shiny-server/blob/master/package.json#L28

Not sure about the others... eventsource is coming from sockjs-client? Which again is from github:jcheng5/sockjs-client#v1.5.2.2-jcheng5?

eduardszoecs commented 1 year ago

@jcheng5 Any news on this? I could apply the solution from https://github.com/rstudio/shiny-server/issues/519#issuecomment-1242488576 (=drop npm as it's only a build-dep & Fix vulnerabilities if high or critical.), but that's quite a bit and should be fixed upstream, or?

jcheng5 commented 1 year ago

Shiny Server 1.5.20 is out now. Sorry for the long delay, lots of incidental problems getting this release out. https://posit.co/download/shiny-server/