Skip to content

code-server 3.9.1 uses nodejs packages with vulnerabilities #2860

Closed
@PatrickDerichs

Description

@PatrickDerichs

We use code-server in docker images with reverse proxy and when you scan the image afterwards with trivy, we get a couple of hits in vulnerabilities:

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| tar     | CVE-2018-20834   | HIGH     | 2.2.1             | 4.4.2, 2.2.2  | nodejs-tar: Arbitrary file            |
|         |                  |          |                   |               | overwrites when extracting            |
|         |                  |          |                   |               | tarballs containing a hard-link       |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20834 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/lib/code-server/yarn.lock
=============================
Total: 2 (HIGH: 2, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ini        | CVE-2020-7788    | HIGH     | 1.3.5             | 1.3.6         | nodejs-ini: prototype pollution      |
|            |                  |          |                   |               | via malicious INI file               |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7788 |
+------------+------------------+          +-------------------+---------------+--------------------------------------+
| node-forge | CVE-2020-7720    |          | 0.7.6             | 0.10.0        | nodejs-node-forge:                   |
|            |                  |          |                   |               | prototype pollution via              |
|            |                  |          |                   |               | the util.setPath function            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7720 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+

These seem to be part of the yarn.locks/package.jsons from the code-server base. I have tried to patch said packages by using resolutions in the package.jsons, but updating these packages seem to break code-server as it won't load vscode properly anymore.

  • Web Browser: Chrome
  • Local OS: Ubuntu
  • Remote OS: Ubuntu
  • Remote Architecture: Docker image
  • code-server --version: 3.9.1 e0203f2

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity related

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions