Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple high-severity vulnerabilities in Docker image #2361

Open
WillStephen opened this issue Feb 9, 2024 · 2 comments
Open

Multiple high-severity vulnerabilities in Docker image #2361

WillStephen opened this issue Feb 9, 2024 · 2 comments
Assignees
@EmmaZhu
Labels
dependencies Pull requests that update a dependency file

Comments

@WillStephen
Copy link
Contributor

WillStephen commented Feb 9, 2024
edited
Loading

The latest Docker image fails Trivy scans with five high-severity CVEs. There are two in the base image and three in Azurite itself.

$ docker run aquasec/trivy image mcr.microsoft.com/azure-storage/azurite:latest --severity HIGH,CRITICAL

mcr.microsoft.com/azure-storage/azurite:latest (alpine 3.17.3)
==============================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ fixed  │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │        │                   │               │                                                        │
│ libssl3    │               │          │        │                   │               │                                                        │
│            │               │          │        │                   │               │                                                        │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Node.js (node-pkg)
==================
Total: 4 (HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │  Status  │ Installed Version │       Fixed Version        │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)           │ CVE-2021-3807  │ HIGH     │ fixed    │ 3.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ nodejs-ansi-regex: Regular expression denial of service    │
│                                     │                │          │          │                   │                            │ (ReDoS) matching ANSI escape codes                         │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                  │
│                                     │                │          │          ├───────────────────┤                            │                                                            │
│                                     │                │          │          │ 4.1.0             │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
├─────────────────────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │          │          │ 3.8.1             │ 4.1.1                      │ http-cache-semantics: Regular Expression Denial of Service │
│                                     │                │          │          │                   │                            │ (ReDoS) vulnerability                                      │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
├─────────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ip (package.json)                   │ CVE-2023-42282 │          │ affected │ 1.1.5             │                            │ An issue in NPM IP Package v.1.1.8 and before allows an    │
│                                     │                │          │          │                   │                            │ attacker...                                                │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2023-42282                 │
└─────────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────────────────┴────────────────────────────────────────────────────────────┘

We'd love to use Azurite but this is a bit of a problem for us - is there anyone working on updating the dependencies to fix these?
@levpachmanov
Copy link

Hi @WillStephen,

Unfortunately, the library is no longer maintained, so there is no public solution.

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.5-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

@blueww blueww added the dependencies Pull requests that update a dependency file label Feb 19, 2024
@blueww
Copy link
Member

blueww commented Feb 19, 2024

@EmmaZhu

Would you please help to look at the dependency issue?

@justinwyer justinwyer mentioned this issue Mar 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EmmaZhu EmmaZhu

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
4 participants
@EmmaZhu @blueww @WillStephen @levpachmanov