Vulnerable Example: Node 14.17.0 image with CVEs

[NicoleStrel]

No description provided.

[github-actions]

🔍 Vulnerabilities of ghcr.io/nicolestrel/dockerfile-security-pipeline:pr-4

📦 Image Reference ghcr.io/nicolestrel/dockerfile-security-pipeline:pr-4

digest	sha256:9e37b16629dd848d20cf64c894a1331549968300cab9c3270aefb5421ad02a80
vulnerabilities
platform	linux/amd64
size	364 MB
packages	863

📦 Base Image node:14

also known as	14-stretch 14.17 14.17-stretch 14.17.0 14.17.0-stretch fermium fermium-stretch lts lts-fermium lts-stretch
digest	sha256:c441936a8aad0da25eb24dfbb53ec6d159595186762d636db356f62f2991d71b
vulnerabilities

mercurial 4.0 (pypi) pkg:pypi/mercurial@4.0 # Dockerfile (4:4) FROM node:14.17.0 Integer Overflow or Wraparound Affected range <4.6.1 Fixed version 4.6.1 CVSS Score 9.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.448% EPSS Percentile 62nd percentile Description mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. Incorrect Permission Assignment for Critical Resource Affected range <4.5.1 Fixed version 4.5.1 CVSS Score 9.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.260% EPSS Percentile 49th percentile Description Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affected range <4.4.1 Fixed version 4.4.1 CVSS Score 9.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 17.974% EPSS Percentile 95th percentile Description In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affected range <4.3 Fixed version 4.3 CVSS Score 9.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 3.608% EPSS Percentile 87th percentile Description Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

node 14.17.0 (generic) pkg:generic/node@14.17.0 # Dockerfile (4:4) FROM node:14.17.0 Affected range >=14.0.0 <14.17.5 Fixed version 14.17.5 EPSS Score 0.738% EPSS Percentile 72nd percentile Description Affected range >=14.0.0 <14.17.4 Fixed version 14.17.4 EPSS Score 0.359% EPSS Percentile 57th percentile Description

json-schema 0.2.3 (npm) pkg:npm/json-schema@0.2.3 # Dockerfile (4:4) FROM node:14.17.0 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <0.4.0 Fixed version 0.4.0 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 1.449% EPSS Percentile 80th percentile Description json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

execa 0.7.0 (npm) pkg:npm/execa@0.7.0 # Dockerfile (4:4) FROM node:14.17.0 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

minimist 1.2.5 (npm) pkg:npm/minimist@1.2.5 # Dockerfile (4:4) FROM node:14.17.0 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range >=1.0.0 <1.2.6 Fixed version 1.2.6 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.756% EPSS Percentile 72nd percentile Description Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

[github-actions]

Recommended fixes for image ghcr.io/nicolestrel/dockerfile-security-pipeline:pr-4

Base image is node:14.17.0

Name	14.17.0
Digest	sha256:c441936a8aad0da25eb24dfbb53ec6d159595186762d636db356f62f2991d71b
Vulnerabilities
Pushed	4 years ago
Size	362 MB
Packages	964
Runtime	14.17.0

The base image is also available under the supported tag(s): lts

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
23.11.0-slim Tag is preferred tag Also known as: 23.11-slim current-slim 23-slim slim bookworm-slim 23-bookworm-slim 23.11-bookworm-slim 23.11.0-bookworm-slim current-bookworm-slim	Benefits: Image is smaller by 269 MB Image contains 638 fewer packages Tag is preferred tag Major runtime version update Tag was pushed more recently Tag is using slim variant Image details: Size: 80 MB Runtime: 22	3 weeks ago
18.20.8-slim Major runtime version update Also known as: 18.20-slim hydrogen-slim 18-slim 18-bookworm-slim 18.20-bookworm-slim 18.20.8-bookworm-slim hydrogen-bookworm-slim	Benefits: Image is smaller by 281 MB Image contains 645 fewer packages Major runtime version update Tag was pushed more recently Tag is using slim variant Image details: Size: 68 MB Runtime: 18	4 weeks ago
22.15.0-slim Major runtime version update Also known as: 22.15-slim lts-slim 22-slim jod-slim 22-bookworm-slim jod-bookworm-slim lts-bookworm-slim 22.15-bookworm-slim 22.15.0-bookworm-slim	Benefits: Image is smaller by 271 MB Image contains 638 fewer packages Major runtime version update Tag was pushed more recently Tag is using slim variant Image details: Size: 78 MB Runtime: 22.15.0	2 days ago
20.19.1-slim Major runtime version update Also known as: 20.19-slim iron-slim 20-slim 20-bookworm-slim iron-bookworm-slim 20.19-bookworm-slim 20.19.1-bookworm-slim	Benefits: Image is smaller by 278 MB Image contains 645 fewer packages Major runtime version update Tag was pushed more recently Tag is using slim variant Image details: Size: 71 MB Runtime: 20.19.1	3 days ago
23.11.0 Tag is latest Also known as: 23.11 current 23 latest bookworm 23-bookworm 23.11-bookworm 23.11.0-bookworm current-bookworm	Benefits: Image contains 216 fewer packages Major runtime version update Tag was pushed more recently Image has similar size Tag is latest Image details: Size: 407 MB Runtime: 23.11.0	3 weeks ago
18.20.8 Major runtime version update Also known as: 18.20 hydrogen 18 18-bookworm 18.20-bookworm 18.20.8-bookworm hydrogen-bookworm	Benefits: Image contains 223 fewer packages Major runtime version update Tag was pushed more recently Image has similar size Image details: Size: 395 MB Runtime: 18	4 weeks ago
22.15.0 Major runtime version update Also known as: 22.15 lts 22 jod lts-jod 22-bookworm jod-bookworm lts-bookworm 22.15-bookworm 22.15.0-bookworm	Benefits: Image contains 216 fewer packages Major runtime version update Tag was pushed more recently Image has similar size Image details: Size: 405 MB Runtime: 22.15.0	2 days ago
20.19.1 Major runtime version update Also known as: 20.19 iron 20 20-bookworm iron-bookworm 20.19-bookworm 20.19.1-bookworm	Benefits: Image contains 223 fewer packages Major runtime version update Tag was pushed more recently Image has similar size Image details: Size: 398 MB Runtime: 20.19.1	3 days ago