Closed
Description
We use code-server in docker images with reverse proxy and when you scan the image afterwards with trivy, we get a couple of hits in vulnerabilities:
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| tar | CVE-2018-20834 | HIGH | 2.2.1 | 4.4.2, 2.2.2 | nodejs-tar: Arbitrary file |
| | | | | | overwrites when extracting |
| | | | | | tarballs containing a hard-link |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20834 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
usr/lib/code-server/yarn.lock
=============================
Total: 2 (HIGH: 2, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ini | CVE-2020-7788 | HIGH | 1.3.5 | 1.3.6 | nodejs-ini: prototype pollution |
| | | | | | via malicious INI file |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7788 |
+------------+------------------+ +-------------------+---------------+--------------------------------------+
| node-forge | CVE-2020-7720 | | 0.7.6 | 0.10.0 | nodejs-node-forge: |
| | | | | | prototype pollution via |
| | | | | | the util.setPath function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7720 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
These seem to be part of the yarn.locks/package.jsons from the code-server base. I have tried to patch said packages by using resolutions in the package.jsons, but updating these packages seem to break code-server as it won't load vscode properly anymore.
- Web Browser: Chrome
- Local OS: Ubuntu
- Remote OS: Ubuntu
- Remote Architecture: Docker image
code-server --version
: 3.9.1 e0203f2