Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-3807 and CVE-2021-3918 findings for NodeJS 12.22.7 #41039

Closed
crbudzeak opened this issue Nov 30, 2021 · 6 comments
Closed

CVE-2021-3807 and CVE-2021-3918 findings for NodeJS 12.22.7 #41039

crbudzeak opened this issue Nov 30, 2021 · 6 comments
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.

Comments

@crbudzeak
Copy link

Version

12.22.7

Platform

linux

Subsystem

No response

What steps will reproduce the bug?

Run a trivy scan against an image that uses NodeJS 12.22.7 and 3 HIGH and 1 CRITICAL vulnerabilities are reported.

How often does it reproduce? Is there a required condition?

Every time.

What is the expected behavior?

No HIGH or CRITICAL vulnerabilities.

What do you see instead?

Node.js (node-pkg)
==================
Total: 4 (HIGH: 3, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 5.0.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

Additional information

NodeJS 12 is being used for the self-hosted GitHub Actions images.
@Trott
Copy link
Member

Trott commented Dec 2, 2021
edited
Loading

Can you explain why this is being reported here and what you expect Node.js to do about this? Perhaps I misunderstand, but this would seem to be reporting about packages installed by the particular application code you are scanning. This is not an issue inside Node.js 12.x itself. And Node.js 12.x is not about to decide to tell you that you're not allowed to install and use ansi-regex 3.0.0 if you really want to install and use a release from 4 years ago. So I'm not sure what we're supposed to do with this.

UPDATE: I think I see what this is about now. (See next comment.)

@Trott
Copy link
Member

Trott commented Dec 2, 2021

(Maybe this is scanning modules used by the npm version that ships with Node.js 12.x?)

@Trott
Copy link
Member

Trott commented Dec 2, 2021

(Maybe this is scanning modules used by the npm version that ships with Node.js 12.x?)

Yeah, that seems to be it. Node.js 12.22.7 ships with npm 6.14.15 which ships with [email protected] and [email protected] .

Updating to the latest version of npm won't fix all of those issues (at the time of this writing) although it does eliminate the json-schema issue.

The relevant issue for this in the npm issue tracker is npm/cli#3785.

I don't think there's anything for Node.js to do except wait for npm to be able to clear the warnings.

/ping @nodejs/npm in case they have additional information to share.

@crbudzeak
Copy link
Author

Yeah, you have the right of it, @Trott. Apologies for not following the open-source dependency chain down far enough (github-actions --> NodeJS --> npm). Thank you for filling in the gaps.

@Mesteery Mesteery added the npm Issues and PRs related to the npm client dependency or the npm registry. label Dec 2, 2021
@mhdawson
Copy link
Member

mhdawson commented Dec 7, 2021

@MylesBorins, @darcyclarke adding you, I assume it's already on your radar.

@kmaounis
Copy link

kmaounis commented Jan 4, 2022

I went though all the latest node docker releases with the following

version: "3.4"
services:
  scanner:
    image: aquasec/trivy:0.22.0
    container_name: scanner
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    entrypoint:
      - /bin/sh
      - -c
      - |
        trivy --version
        trivy image --clear-cache
        # Update db
        trivy --cache-dir .trivycache/ image --download-db-only --no-progress 
        # Fails on high and critical vulnerabilities
        trivy --cache-dir .trivycache/ image --exit-code 1  --severity CRITICAL --no-progress "node:XX.XX.X-alpine3.XX"

And here are my results

node:17.3.0-alpine3.15 (alpine 3.15.0)
2022-01-04T08:00:56.530869700Z ======================================
2022-01-04T08:00:56.530878900Z Total: 0 (CRITICAL: 0)


node:16.13.1-alpine3.15 (alpine 3.15.0)
2022-01-04T08:02:33.723856700Z =======================================
2022-01-04T08:02:33.723874200Z Total: 0 (CRITICAL: 0)


node:14.18.2-alpine3.15 (alpine 3.15.0)
2022-01-04T08:03:17.806094600Z =======================================
2022-01-04T08:03:17.806166900Z Node.js (node-pkg)
2022-01-04T08:03:17.806183400Z ==================
2022-01-04T08:03:17.806199100Z Total: 1 (CRITICAL: 1)
2022-01-04T08:03:17.806211400Z 
2022-01-04T08:03:17.806228000Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
2022-01-04T08:03:17.806250500Z |   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
2022-01-04T08:03:17.806263400Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
2022-01-04T08:03:17.806512700Z | json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
2022-01-04T08:03:17.806552700Z |             |                  |          |                   |               | pollution vulnerability              |
2022-01-04T08:03:17.806569000Z |             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
2022-01-04T08:03:17.806582200Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+




node:12.22.8-alpine3.15 (alpine 3.15.0)
2022-01-04T08:04:45.098861900Z =======================================
2022-01-04T08:04:45.099199300Z Node.js (node-pkg)
2022-01-04T08:04:45.099656400Z ==================
2022-01-04T08:04:45.099794900Z Total: 1 (CRITICAL: 1)
2022-01-04T08:04:45.099817000Z 
2022-01-04T08:04:45.099830600Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
2022-01-04T08:04:45.099844000Z |   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
2022-01-04T08:04:45.099874200Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+
2022-01-04T08:04:45.100145500Z | json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
2022-01-04T08:04:45.100194100Z |             |                  |          |                   |               | pollution vulnerability              |
2022-01-04T08:04:45.100228700Z |             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
2022-01-04T08:04:45.100957600Z +-------------+------------------+----------+-------------------+---------------+--------------------------------------+

@kcak11 kcak11 mentioned this issue Jan 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcollina @Trott @crbudzeak @kmaounis @mhdawson @Mesteery