Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nodejs 12 & 14 contain nodejs packages with CVEs #28

Open
cdloh opened this issue Dec 9, 2021 · 3 comments
Open

nodejs 12 & 14 contain nodejs packages with CVEs #28

cdloh opened this issue Dec 9, 2021 · 3 comments

Comments

@cdloh
Copy link

cdloh commented Dec 9, 2021

Was building a base image off the AWS Lambda images and scanning with trivy and noted that both have NodeJS packages installed with known CVEs against them.

$ trivy image public.ecr.aws/lambda/nodejs:12
2021-12-09T15:07:37.864Z	INFO	Detected OS: amazon
2021-12-09T15:07:37.864Z	INFO	Detecting Amazon Linux vulnerabilities...
2021-12-09T15:07:37.868Z	INFO	Number of language-specific files: 2
2021-12-09T15:07:37.868Z	INFO	Detecting gobinary vulnerabilities...
2021-12-09T15:07:37.868Z	INFO	Detecting node-pkg vulnerabilities...

public.ecr.aws/lambda/nodejs:12 (amazon 2 (Karoo))
==================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

$ trivy image public.ecr.aws/lambda/nodejs:14
2021-12-09T15:07:43.241Z	INFO	Detected OS: amazon
2021-12-09T15:07:43.241Z	INFO	Detecting Amazon Linux vulnerabilities...
2021-12-09T15:07:43.246Z	INFO	Number of language-specific files: 2
2021-12-09T15:07:43.246Z	INFO	Detecting gobinary vulnerabilities...
2021-12-09T15:07:43.246Z	INFO	Detecting node-pkg vulnerabilities...

public.ecr.aws/lambda/nodejs:14 (amazon 2 (Karoo))
==================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@cdloh
Copy link
Author

cdloh commented Dec 9, 2021

Updating NPM to the latest version fixes it.

npm install npm@latest -g

@theo-staizen
Copy link

Updating NPM to the latest version fixes it.

npm install npm@latest -g

can we get a refund for every compute minute wasted installing latest npm?

@catmeme
Copy link

catmeme commented Mar 11, 2022

Adding RUN npm install npm@latest -g didn't make a difference for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants