diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..a1c41090 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,18 @@ +# Goal + + +# Changes + + +# Testing + + +# Artifacts & Screenshots + + +--- + +### Checklist +- [ ] PR has a clear, descriptive title +- [ ] Documentation updated if needed +- [ ] No secrets, credentials, or large temporary files committed diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..e24a39e7 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,36 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 0.95% 105MiB / 14.95GiB 0.69% +juice-hardened 2.06% 90.35MiB / 512MiB 17.65% +juice-production 0.96% 90.25MiB / 512MiB 17.63% + +=== Security Configurations === + +Container: juice-default +CapDrop: +SecurityOpt: +Memory: 0 +CPU: 0 +PIDs: +Restart: no + +Container: juice-hardened +CapDrop: [ALL] +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: +Restart: no + +Container: juice-production +CapDrop: [ALL] +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: 100 +Restart: on-failure diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..0305af10 --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1,230 @@ +# -------------------------------------------------------------------------------------------- +# Docker Bench for Security v1.6.0 +# +# Docker, Inc. (c) 2015-2026 +# +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Based on the CIS Docker Benchmark 1.6.0. +# -------------------------------------------------------------------------------------------- + +Initializing 2026-03-22T16:43:18+03:00 + + +Section A - Check results + +[INFO] 1 - Host Configuration +[INFO] 1.1 - Linux Hosts Specific Configuration +[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated) +[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated) +[INFO] * Users: qwer +[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated) +[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) +[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) +[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) +[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated) +[INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) +[INFO] * File not found +[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated) +[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) +[INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated) +[INFO] * File not found +[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) +[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) +[INFO] * File not found +[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) +[INFO] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) +[INFO] * File not found +[INFO] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated) +[INFO] * File not found +[WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated) +[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) +[INFO] 1.2 - General Configuration +[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual) +[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual) +[INFO] * Using 29.1.3 which is current +[INFO] * Check with your operating system vendor for support and security maintenance for Docker + +[INFO] 2 - Docker daemon configuration +[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual) +[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored) +[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored) +[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored) +[PASS] 2.5 - Ensure insecure registries are not used (Scored) +[PASS] 2.6 - Ensure aufs storage driver is not used (Scored) +[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored) +[INFO] * Docker daemon not listening on TCP +[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual) +[INFO] * Default ulimit doesn't appear to be set +[WARN] 2.9 - Enable user namespace support (Scored) +[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) +[PASS] 2.11 - Ensure base device size is not changed until needed (Scored) +[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored) +[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored) +[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) +[WARN] 2.15 - Ensure live restore is enabled (Scored) +[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored) +[INFO] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) +[INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated) + +[INFO] 3 - Docker daemon configuration files +[PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated) +[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated) +[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated) +[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) +[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated) +[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated) +[INFO] * Directory not found +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) +[INFO] * Directory not found +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated) +[INFO] * No TLS CA certificate found +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) +[INFO] * No TLS CA certificate found +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated) +[INFO] * No TLS Server certificate found +[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated) +[INFO] * No TLS Server certificate found +[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated) +[INFO] * No TLS Key found +[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated) +[INFO] * No TLS Key found +[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated) +[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) +[INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated) +[INFO] * File not found +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) +[INFO] * File not found +[PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated) +[PASS] 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated) +[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated) +[INFO] * File not found +[INFO] 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) +[INFO] * File not found +[PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated) +[PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated) + +[INFO] 4 - Container Images and Build File +[PASS] 4.1 - Ensure that a user for the container has been created (Automated) +[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) +[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) +[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated) +[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) +[WARN] * No Healthcheck found: [snyk/snyk:docker] +[WARN] * No Healthcheck found: [gh-pulse-data-airflow-webserver:latest] +[WARN] * No Healthcheck found: [gh-pulse-data-airflow-init:latest] +[WARN] * No Healthcheck found: [gh-pulse-data-airflow-scheduler:latest] +[WARN] * No Healthcheck found: [trufflesecurity/trufflehog:latest] +[WARN] * No Healthcheck found: [bridgecrew/checkov:latest] +[WARN] * No Healthcheck found: [docker:latest] +[WARN] * No Healthcheck found: [checkmarx/kics:latest] +[WARN] * No Healthcheck found: [scylladb/scylla:2025.4] +[WARN] * No Healthcheck found: [postgres:15-alpine] +[WARN] * No Healthcheck found: [postgres:15] +[WARN] * No Healthcheck found: [mongo:8.2.5 mongo:latest] +[WARN] * No Healthcheck found: [mongo:8.2.5 mongo:latest] +[WARN] * No Healthcheck found: [alpine:latest] +[WARN] * No Healthcheck found: [zricethezav/gitleaks:latest] +[WARN] * No Healthcheck found: [minio/minio:RELEASE.2025-09-07T16-13-09Z] +[WARN] * No Healthcheck found: [minio/mc:RELEASE.2025-08-13T08-35-41Z] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:v19.0.0] +[WARN] * No Healthcheck found: [aquasec/tfsec:latest] +[WARN] * No Healthcheck found: [goodwithtech/dockle:latest] +[WARN] * No Healthcheck found: [tenable/terrascan:latest] +[WARN] * No Healthcheck found: [apache/spark:3.5.0] +[INFO] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) +[INFO] * Update instruction found: [snyk/snyk:docker] +[INFO] * Update instruction found: [gh-pulse-data-airflow-webserver:latest] +[INFO] * Update instruction found: [gh-pulse-data-airflow-init:latest] +[INFO] * Update instruction found: [gh-pulse-data-airflow-scheduler:latest] +[INFO] * Update instruction found: [bridgecrew/checkov:latest] +[INFO] * Update instruction found: [checkmarx/kics:latest] +[INFO] * Update instruction found: [postgres:15] +[INFO] * Update instruction found: [mongo:8.2.5 mongo:latest] +[INFO] * Update instruction found: [mongo:8.2.5 mongo:latest] +[INFO] * Update instruction found: [citusdata/citus:13.0 citusdata/citus:13.0.3] +[INFO] * Update instruction found: [citusdata/citus:13.0 citusdata/citus:13.0.3] +[INFO] * Update instruction found: [apache/spark:3.5.0] +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) +[INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) +[INFO] * ADD in image history: [gh-pulse-data-airflow-webserver:latest] +[INFO] * ADD in image history: [gh-pulse-data-airflow-init:latest] +[INFO] * ADD in image history: [gh-pulse-data-airflow-scheduler:latest] +[INFO] * ADD in image history: [mongo:8.2.5 mongo:latest] +[INFO] * ADD in image history: [mongo:8.2.5 mongo:latest] +[INFO] * ADD in image history: [minio/mc:RELEASE.2025-08-13T08-35-41Z] +[INFO] * ADD in image history: [apache/spark:3.5.0] +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) +[NOTE] 4.11 - Ensure only verified packages are installed (Manual) +[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual) + +[INFO] 5 - Container Runtime +[PASS] 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated) +[PASS] 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated) +[WARN] 5.3 - Ensure that, if applicable, SELinux security options are set (Automated) +[WARN] * No SecurityOptions Found: juice-shop +[PASS] 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated) +[PASS] 5.5 - Ensure that privileged containers are not used (Automated) +[PASS] 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated) +[PASS] 5.7 - Ensure sshd is not run within containers (Automated) +[PASS] 5.8 - Ensure privileged ports are not mapped within containers (Automated) +[WARN] 5.9 - Ensure that only needed ports are open on the container (Manual) +[WARN] * Port in use: 3000 in juice-shop +[PASS] 5.10 - Ensure that the host's network namespace is not shared (Automated) +[WARN] 5.11 - Ensure that the memory usage for containers is limited (Automated) +[WARN] * Container running without memory restrictions: juice-shop +[WARN] 5.12 - Ensure that CPU priority is set appropriately on containers (Automated) +[WARN] * Container running without CPU restrictions: juice-shop +[WARN] 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated) +[WARN] * Container running with root FS mounted R/W: juice-shop +[PASS] 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated) +0 +[PASS] 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated) +[PASS] 5.16 - Ensure that the host's process namespace is not shared (Automated) +[PASS] 5.17 - Ensure that the host's IPC namespace is not shared (Automated) +[PASS] 5.18 - Ensure that host devices are not directly exposed to containers (Manual) +[INFO] 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual) +[INFO] * Container no default ulimit override: juice-shop +[PASS] 5.20 - Ensure mount propagation mode is not set to shared (Automated) +[PASS] 5.21 - Ensure that the host's UTS namespace is not shared (Automated) +[PASS] 5.22 - Ensure the default seccomp profile is not Disabled (Automated) +[NOTE] 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated) +[NOTE] 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual) +[PASS] 5.25 - Ensure that cgroup usage is confirmed (Automated) +[WARN] 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated) +[WARN] * Privileges not restricted: juice-shop +[WARN] 5.27 - Ensure that container health is checked at runtime (Automated) +[WARN] * Health check not set: juice-shop +[INFO] 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual) +[WARN] 5.29 - Ensure that the PIDs cgroup limit is used (Automated) +[WARN] * PIDs limit not set: juice-shop +[INFO] 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual) +[INFO] * Container in docker0 network: juice-shop +[PASS] 5.31 - Ensure that the host's user namespaces are not shared (Automated) +[PASS] 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated) + +[INFO] 6 - Docker Security Operations +[INFO] 6.1 - Ensure that image sprawl is avoided (Manual) +[INFO] * There are currently: 23 images +[INFO] * Only 1 out of 23 are in use +[INFO] 6.2 - Ensure that container sprawl is avoided (Manual) +[INFO] * There are currently a total of 1 containers, with 1 of them currently running + +[INFO] 7 - Docker Swarm Configuration +[PASS] 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled) +[PASS] 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled) +[PASS] 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated) +[PASS] 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled) +[PASS] 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled) +[PASS] 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled) +[PASS] 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled) +[PASS] 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled) +[PASS] 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled) + + +Section C - Score + +[INFO] Checks: 117 +[INFO] Score: 12 + diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..91b99573 --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,9 @@ +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..25284d40 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1032 @@ + + +## Overview + + │ Analyzed Image +───────────────────┼────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 37cc73163c4c + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 11C 65H 30M 5L 7? + size │ 172 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 4C 0H 1M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 4H 1M 0L node 22.18.0 +pkg:generic/node@22.18.0 + + ✗ CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + + 1C 3H 1M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 4H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + + ✗ HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + + ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + + ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + + ✗ MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + ✗ LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + + ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + + ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + + ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 1M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + + ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + + ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + +118 vulnerabilities found in 48 packages + CRITICAL 11 + HIGH 65 + MEDIUM 30 + LOW 5 + UNSPECIFIED 7 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..ced81c75 --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,255 @@ + +Testing bkimminich/juice-shop:v19.0.0... + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2025-69421 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.18-1~deb12u2 + +------------ Detected 5 vulnerabilities for node@22.18.0 ------------ + + +✗ High severity vulnerability found in node + Description: UNIX Symbolic Link (Symlink) Following + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ Critical severity vulnerability found in node + Description: Race Condition + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +Organization: anr2024 +Package manager: deb +Project name: docker-image|bkimminich/juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Platform: linux/amd64 +Target OS: Distroless +Licenses: enabled + +Tested 10 dependencies for known issues, found 6 issues. + +------------------------------------------------------- + +Testing bkimminich/juice-shop:v19.0.0... + +Tested 975 dependencies for known issues, found 47 issues. + + +Issues to fix by upgrading: + + Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix + ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s) + + Upgrade express@4.21.2 to express@4.22.0 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + + Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix + ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3 + introduced by express-jwt@0.1.3 + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0 + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade glob@10.4.5 to glob@12.0.0 to fix + ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5 + introduced by glob@10.4.5 and 1 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5 + introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix + ✗ Uncontrolled Recursion (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Resource after Effective Lifetime (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Incomplete Cleanup (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + + Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix + ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0 + introduced by pdfkit@0.11.0 > crypto-js@3.3.0 + + Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix + ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + + Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix + ✗ SQL Injection (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7 + introduced by sequelize@6.37.7 + + Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6 + introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2 + introduced by socket.io@3.1.2 + ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2 + introduced by socket.io@3.1.2 > engine.io@4.1.2 + + Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + + Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + +Issues with no direct upgrade or patch: + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2 + introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2 + No upgrade or patch available + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11 + introduced by marsdb@0.6.11 + No upgrade or patch available + ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15 + introduced by sequelize@6.37.7 > validator@13.15.15 + This issue was fixed in versions: 13.15.22 + ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.2 + ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.9.18 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + + + +Organization: anr2024 +Package manager: npm +Target file: /juice-shop/package.json +Project name: juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Licenses: enabled + + +Tested 2 projects, 2 contained vulnerable paths. + + + + + ERROR Forbidden (SNYK-CLI-0000) + The encountered error only provides basic information, please take a look at + the given details. If they do not help to resolve the issue, consider + debugging or consulting support. + + Forbidden + +Status: 403 Forbidden +Docs: https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0000 + +ID: urn:snyk:interaction:21c1571c-2f0d-4fd6-b7d9-356978a19578 diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..747eec16 --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,145 @@ +# Lab 7 — Container Security: Image Scanning & Deployment Hardening + +## Task 1 — Image Vulnerability & Configuration Analysis + +### Top 5 Critical/High Vulnerabilities + +Based on the scans from Docker Scout and Snyk, the following are the most significant vulnerabilities identified in the `bkimminich/juice-shop:v19.0.0` image: + +| CVE ID | Affected Package | Severity | Impact | +| :--- | :--- | :--- | :--- | +| **CVE-2026-22709** | `vm2` (3.9.17) | CRITICAL | **Protection Mechanism Failure:** Allows attackers to bypass the sandbox and execute arbitrary code on the host. | +| **CVE-2023-37903** | `vm2` (3.9.17) | CRITICAL | **OS Command Injection:** Improper neutralization allows for execution of unauthorized system commands. | +| **CVE-2025-55130** | `node` (22.18.0) | CRITICAL | **Race Condition:** Found in the Node.js runtime, potentially leading to memory corruption or privilege escalation. | +| **CVE-2025-69421** | `openssl/libssl3` | HIGH | **Information Leak:** Vulnerability in the SSL/TLS library that could compromise encrypted communication. | +| **CVE-2025-6838727** | `braces` (2.3.2) | HIGH | **Resource Consumption:** Prototype pollution and ReDoS risks within deeply nested dependency trees. | + +### Dockle Configuration Findings + +The `dockle` assessment identified several best-practice and configuration issues: + +* **CIS-DI-0005 (Enable Content Trust):** + * **Concern:** The image was pulled without digital signature verification. This opens the risk of using a tampered or malicious image that has been "poisoned" in a registry. +* **CIS-DI-0006 (Missing HEALTHCHECK):** + * **Concern:** Without a `HEALTHCHECK` instruction, the Docker engine cannot determine if the application inside is actually functional, only if the process is running. This can lead to traffic being routed to "zombie" containers. +* **DKL-LI-0003 (Unnecessary Files):** + * **Concern:** The presence of `.DS_Store` files in `node_modules`. These files increase the attack surface and can potentially leak metadata about the development environment. + +### Security Posture Assessment + +* **Does the image run as root?** + Based on the Snyk output the container is "distroless" (no shell available). It runs from generic distroless nonroot user (UID 65532) - verified with `docker inspect juice-shop | grep -i user` +* **Security Improvements Recommended:** + 1. **Update Node.js Base Image:** Move from `node:22.18.0` to `22.22.0` or later to patch the CRITICAL race condition and high-severity symlink vulnerabilities. + 2. **Replace `vm2`:** The `vm2` library is heavily compromised with multiple CRITICAL vulnerabilities and is no longer actively maintained. It should be replaced with a more secure sandboxing alternative. + 3. **Implement `USER` Instruction:** Explicitly create a non-privileged user (e.g., `appuser`) in the Dockerfile to adhere to the principle of least privilege. + 4. **Add `HEALTHCHECK`:** Implement a health check command (e.g., calling the `/health` endpoint) to improve orchestration and availability. + 5. **Clean Dependencies:** Use `.dockerignore` to prevent development artifacts like `.DS_Store` or local `node_modules` from being copied into the production image. + +## Task 2 — Docker Host Security Benchmarking + +### Summary Statistics +The CIS Docker Benchmark was performed using `docker-bench-security` to assess the host and daemon configuration. + +* **Total Pass:** 45 +* **Total Warn:** 35 +* **Total Info/Note:** 37 +* **Final Score:** 12 + +### Analysis of Failures & Warnings + +The audit revealed several high-impact security gaps in the host and container runtime configuration: + +| Check ID | Finding | Security Impact | Remediation Step | +| :--- | :--- | :--- | :--- | +| **1.1.3 - 1.1.18** | Missing Docker Auditing | Changes to Docker binaries, sockets, or configurations are not logged by the OS. This prevents forensic analysis after a compromise. | Configure `auditd` rules for `/usr/bin/docker`, `/etc/docker`, and `/var/lib/docker`. | +| **2.2** | Default Bridge Traffic | Containers on the default bridge can communicate with each other unrestricted, allowing lateral movement. | Set `"icc": false` in `daemon.json` or use custom user-defined bridge networks. | +| **2.14 / 5.26** | Privilege Escalation | Containers are not restricted from acquiring new privileges via `setuid` or `setgid` binaries. | Start containers with the `--security-opt=no-new-privileges` flag. | +| **5.11 / 5.12** | Missing Resource Limits | The `juice-shop` container has no memory or CPU limits, making the host vulnerable to Denial of Service (DoS). | Apply resource constraints using `--memory="512m"` and `--cpus="0.5"`. | +| **5.13** | Root FS is Read-Write | The container's root filesystem is mutable, allowing attackers to download and execute malicious tools if they gain shell access. | Run the container with the `--read-only` flag. | +| **2.13** | No Centralized Logging | Logs are only stored locally on the host, making them susceptible to tampering by an attacker. | Configure a logging driver (e.g., `syslog`, `gelf`, or `fluentd`) in the Docker daemon settings. | + +### Propose Specific Remediation Steps +To improve the security score from 12 to a hardened state, the following actions are recommended: + +1. **Host Hardening:** Install `auditd` and add rules to monitor all Docker-related files and the `/usr/bin/runc` binary. +2. **Daemon Configuration:** Update `/etc/docker/daemon.json` to include: + ```json + { + "icc": false, + "userns-remap": "default", + "live-restore": true, + "userland-proxy": false, + "no-new-privileges": true + } + ``` +3. **Runtime Hardening:** When deploying the Juice Shop container, use a hardened execution command: + ```bash + docker run -d --name juice-shop \ + --read-only \ + --memory="512m" \ + --security-opt=no-new-privileges \ + -p 127.0.0.1:3000:3000 \ + bkimminich/juice-shop:v19.0.0 + ``` + +## Task 3 — Deployment Security Configuration Analysis + +### 1. Configuration Comparison Table + +The following data was extracted via `docker inspect` for the three deployment profiles: + +| Feature | juice-default | juice-hardened | juice-production | +| :--- | :--- | :--- | :--- | +| **Capabilities (Dropped)** | None | `[ALL]` | `[ALL]` | +| **Capabilities (Added)** | None | None | `[NET_BIND_SERVICE]` | +| **Security Options** | `` | `[no-new-privileges]` | `[no-new-privileges]` | +| **Memory Limit** | Unlimited (`0`) | `512MiB` | `512MiB` | +| **CPU Limit (Quota)** | Unlimited (`0`) | `1.0` | `1.0` | +| **PIDs Limit** | Unlimited (`0`) | `` | `100` | +| **Restart Policy** | `no` | `no` | `on-failure (max 3)` | + +### 2. Security Measure Analysis + +#### a) `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE` +* **Linux Capabilities:** These break down the all-powerful `root` privileges into smaller, distinct units (e.g., `CAP_CHOWN`, `CAP_SYS_ADMIN`). Instead of giving a process full root power, you give it only what it needs. +* **Attack Vector Prevented:** Dropping `ALL` prevents **Container Escape** and **Kernel Exploitation**. An attacker who gains root inside the container cannot mount filesystems, load kernel modules, or change network interfaces. +* **Why add `NET_BIND_SERVICE`?** This allows a process to bind to privileged ports (those below 1024, like 80 or 443). Without it, if the app must listen on port 80, it will fail to start after dropping all caps. +* **Security Trade-off:** Adding it back grants a small amount of network power, but it is vastly safer than leaving all 30+ default capabilities active. + +#### b) `--security-opt=no-new-privileges` +* **Function:** It prevents a process from gaining any more privileges than its parent had. Specifically, it disables the effects of `setuid` and `setgid` bits on executables. +* **Attack Prevented:** It prevents **Local Privilege Escalation**. If an attacker finds a vulnerability in a tool like `sudo` or `ping` (which are setuid), they cannot use them to become a "true" root. +* **Downsides:** It can break legacy applications or management tools that legitimately need to elevate privileges (e.g., some database installation scripts). + +#### c) `--memory=512m` and `--cpus=1.0` +* **No Resource Limits:** A single container can consume all host RAM and CPU, causing the host to crash or reboot (Resource Exhaustion). +* **Attack Prevented:** **Denial of Service (DoS)**. It ensures one compromised or buggy container cannot "starve" the rest of the infrastructure. +* **Risk of Low Limits:** If set too low, the application may suffer from **OOM (Out of Memory) Kills** or heavy CPU throttling, leading to service instability and high latency. + +#### d) `--pids-limit=100` +* **Fork Bomb:** A type of DoS attack where a process continually replicates itself to exhaust the process table, freezing the OS. +* **PID Limiting:** It places a hard ceiling on the number of processes a container can spawn. If a fork bomb starts, it hits the limit of 100 and stops, saving the host. +* **Determining the Limit:** Monitor the application under load using `docker stats`. If it normally uses 20 threads, a limit of 50 or 100 provides a safe buffer. + +#### e) `--restart=on-failure:3` +* **Policy Function:** Automatically restarts the container only if it exits with a non-zero error code, up to 3 times. +* **Beneficial vs. Risky:** It is beneficial for handling transient errors (e.g., DB temporarily unavailable). It is risky if the app is crashing due to a security exploit that retriggers every time the process starts. +* **on-failure vs. always:** `always` will restart even if you manually stop the container; `on-failure` is smarter as it assumes if the app exited cleanly (0), it was intentional. + +### 3. Critical Thinking Questions + +1. **Which profile for DEVELOPMENT? Why?** + **Default**. Developers need speed and flexibility. Hardened profiles can block debugging tools, profilers, and local logging, making it difficult to troubleshoot code during the build phase. + +2. **Which profile for PRODUCTION? Why?** + **Production**. It implements the **Principle of Least Privilege**. It limits the "blast radius" of a compromise by restricting kernel access, preventing privilege escalation, and protecting host resources via PIDs and memory limits. + +3. **What real-world problem do resource limits solve?** + They solve **"Noisy Neighbor"** issues. In a cloud environment, they prevent one poorly written app (or one under attack) from crashing 50 other applications sharing the same host hardware. + +4. **If an attacker exploits Default vs Production, what actions are blocked in Production?** + In **Default**, an attacker could run a fork-bomb to kill the host, use `setuid` binaries to escalate privileges, or try to mount the host `/etc` to steal passwords. In **Production**, all these are blocked by PID limits, `no-new-privileges`, and `cap-drop=ALL`. + +5. **What additional hardening would you add?** + I would add `--read-only` to make the root filesystem immutable and `--user 1000:1000` to ensure the application never starts as the root user ID in the first place, even before capabilities are dropped.