diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..e1aa7d43 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,23 @@ +## Goal + + + +## Changes + + + +## Testing + + + +## Artifacts & Screenshots + + + +--- + +### Checklist + +- [ ] PR title is clear and descriptive +- [ ] Documentation updated if needed +- [ ] No secrets, temporary files, or large binaries included diff --git a/labs/img/juice-home.jpg b/labs/img/juice-home.jpg new file mode 100644 index 00000000..caf9f30f Binary files /dev/null and b/labs/img/juice-home.jpg differ diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..418e5b20 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,39 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 0.74% 99.86MiB / 5.786GiB 1.69% +juice-hardened 0.54% 92.77MiB / 512MiB 18.12% +juice-production 0.64% 91.29MiB / 512MiB 17.83% + +=== Security Configurations === + +Container: juice-default +CapDrop: +CapAdd: +SecurityOpt: +Memory: 0 +CPU: 0 +PIDs: +Restart: no + +Container: juice-hardened +CapDrop: [ALL] +CapAdd: +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: +Restart: no + +Container: juice-production +CapDrop: [ALL] +CapAdd: [CAP_NET_BIND_SERVICE] +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: 100 +Restart: on-failure diff --git a/labs/lab7/analysis/docker-bench-summary.txt b/labs/lab7/analysis/docker-bench-summary.txt new file mode 100644 index 00000000..a65f5035 --- /dev/null +++ b/labs/lab7/analysis/docker-bench-summary.txt @@ -0,0 +1,5 @@ +Docker Bench Summary +PASS: 40 +WARN: 82 +FAIL: 0 +INFO: 88 diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..916f441c --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1,245 @@ +# ------------------------------------------------------------------------------ +# Docker Bench for Security v1.3.4 +# +# Docker, Inc. (c) 2015- +# +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker Community Edition Benchmark v1.1.0. +# ------------------------------------------------------------------------------ + +Initializing Mon Mar 23 11:57:04 UTC 2026 + + +[INFO] 1 - Host Configuration +[WARN] 1.1 - Ensure a separate partition for containers has been created +[NOTE] 1.2 - Ensure the container host has been Hardened +[PASS] 1.3 - Ensure Docker is up to date +[INFO] * Using 28.2.2 which is current +[INFO] * Check with your operating system vendor for support and security maintenance for Docker +[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon +[INFO] * docker:x:101 +[WARN] 1.5 - Ensure auditing is configured for the Docker daemon +[WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[INFO] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker +[INFO] * Directory not found +[WARN] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service +[WARN] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket +[INFO] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker +[INFO] * File not found +[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json +[INFO] * File not found +[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd +[INFO] * File not found +[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc +[INFO] * File not found + + +[INFO] 2 - Docker daemon configuration +[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +[PASS] 2.2 - Ensure the logging level is set to 'info' +[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables +[PASS] 2.4 - Ensure insecure registries are not used +[PASS] 2.5 - Ensure aufs storage driver is not used +[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured +[INFO] * Docker daemon not listening on TCP +[INFO] 2.7 - Ensure the default ulimit is configured appropriately +[INFO] * Default ulimit doesn't appear to be set +[WARN] 2.8 - Enable user namespace support +[PASS] 2.9 - Ensure the default cgroup usage has been confirmed +[PASS] 2.10 - Ensure base device size is not changed until needed +[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[WARN] 2.12 - Ensure centralized and remote logging is configured +[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated) +[WARN] 2.14 - Ensure live restore is Enabled +[WARN] 2.15 - Ensure Userland Proxy is Disabled +[INFO] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed +[PASS] 2.17 - Ensure experimental features are avoided in production +[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges + + +[INFO] 3 - Docker daemon configuration files +[PASS] 3.1 - Ensure that docker.service file ownership is set to root:root +[PASS] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive +[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root +[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive +[INFO] 3.5 - Ensure that /etc/docker directory ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive +[INFO] * Directory not found +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive +[INFO] * Directory not found +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root +[INFO] * No TLS CA certificate found +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS CA certificate found +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root +[INFO] * No TLS Server certificate found +[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS Server certificate found +[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root +[INFO] * No TLS Key found +[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 +[INFO] * No TLS Key found +[WARN] 3.15 - Ensure that Docker socket file ownership is set to root:docker +[WARN] * Wrong ownership for /var/run/docker.sock +[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive +[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root +[INFO] * File not found +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root +[INFO] * File not found +[INFO] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive +[INFO] * File not found + + +[INFO] 4 - Container Images and Build File +[WARN] 4.1 - Ensure a user for the container has been created +[WARN] * Running as root: promtail +[NOTE] 4.2 - Ensure that containers use trusted base images +[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[WARN] 4.5 - Ensure Content trust for Docker is Enabled +[WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image +[WARN] * No Healthcheck found: [fayzullin/devops-info-service:latest] +[WARN] * No Healthcheck found: [trufflesecurity/trufflehog:latest] +[WARN] * No Healthcheck found: [bridgecrew/checkov:latest] +[WARN] * No Healthcheck found: [python:3.12-slim] +[WARN] * No Healthcheck found: [checkmarx/kics:latest] +[WARN] * No Healthcheck found: [sh3b0/labenv:stable] +[WARN] * No Healthcheck found: [prom/prometheus:v3.9.0] +[WARN] * No Healthcheck found: [jlesage/firefox:v25.12.5] +[WARN] * No Healthcheck found: [grafana/grafana:12.3.1] +[WARN] * No Healthcheck found: [zricethezav/gitleaks:latest] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:v19.0.0] +[WARN] * No Healthcheck found: [aquasec/tfsec:latest] +[WARN] * No Healthcheck found: [sh1co/wikifet:latest] +[WARN] * No Healthcheck found: [quay.io/keycloak/keycloak:26.0] +[WARN] * No Healthcheck found: [goodwithtech/dockle:latest] +[WARN] * No Healthcheck found: [tenable/terrascan:latest] +[WARN] * No Healthcheck found: [grafana/loki:3.0.0] +[WARN] * No Healthcheck found: [grafana/promtail:3.0.0] +[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[INFO] * Update instruction found: [fayzullin/devops-info-service:latest] +[INFO] * Update instruction found: [bridgecrew/checkov:latest] +[INFO] * Update instruction found: [python:3.12-slim] +[INFO] * Update instruction found: [checkmarx/kics:latest] +[INFO] * Update instruction found: [sh3b0/labenv:stable] +[INFO] * Update instruction found: [sh1co/wikifet:latest] +[INFO] * Update instruction found: [grafana/promtail:3.0.0] +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images +[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile +[INFO] * ADD in image history: [trufflesecurity/trufflehog:latest] +[INFO] * ADD in image history: [sh3b0/labenv:stable] +[INFO] * ADD in image history: [jlesage/firefox:v25.12.5] +[INFO] * ADD in image history: [grafana/grafana:12.3.1] +[INFO] * ADD in image history: [zricethezav/gitleaks:latest] +[INFO] * ADD in image history: [aquasec/tfsec:latest] +[INFO] * ADD in image history: [sh1co/wikifet:latest] +[INFO] * ADD in image history: [goodwithtech/dockle:latest] +[INFO] * ADD in image history: [grafana/loki:3.0.0] +[INFO] * ADD in image history: [grafana/promtail:3.0.0] +[INFO] * ADD in image history: [docker/docker-bench-security:latest] +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.11 - Ensure verified packages are only Installed + + +[INFO] 5 - Container Runtime +[PASS] 5.1 - Ensure AppArmor Profile is Enabled +[WARN] 5.2 - Ensure SELinux security options are set, if applicable +[WARN] * No SecurityOptions Found: grafana +[WARN] * No SecurityOptions Found: app-python +[WARN] * No SecurityOptions Found: promtail +[WARN] * No SecurityOptions Found: loki +[WARN] * No SecurityOptions Found: prometheus +[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers +[PASS] 5.4 - Ensure privileged containers are not used +[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers +[PASS] 5.6 - Ensure ssh is not run within containers +[PASS] 5.7 - Ensure privileged ports are not mapped within containers +[NOTE] 5.8 - Ensure only needed ports are open on the container +[PASS] 5.9 - Ensure the host's network namespace is not shared +[PASS] 5.10 - Ensure memory usage for container is limited +[WARN] 5.11 - Ensure CPU priority is set appropriately on the container +[WARN] * Container running without CPU restrictions: grafana +[WARN] * Container running without CPU restrictions: app-python +[WARN] * Container running without CPU restrictions: promtail +[WARN] * Container running without CPU restrictions: loki +[WARN] * Container running without CPU restrictions: prometheus +[WARN] 5.12 - Ensure the container's root filesystem is mounted as read only +[WARN] * Container running with root FS mounted R/W: grafana +[WARN] * Container running with root FS mounted R/W: app-python +[WARN] * Container running with root FS mounted R/W: promtail +[WARN] * Container running with root FS mounted R/W: loki +[WARN] * Container running with root FS mounted R/W: prometheus +[WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in grafana +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in app-python +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in promtail +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in loki +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in prometheus +[WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5' +[WARN] * MaximumRetryCount is not set to 5: grafana +[WARN] * MaximumRetryCount is not set to 5: app-python +[WARN] * MaximumRetryCount is not set to 5: promtail +[WARN] * MaximumRetryCount is not set to 5: loki +[WARN] * MaximumRetryCount is not set to 5: prometheus +[PASS] 5.15 - Ensure the host's process namespace is not shared +[PASS] 5.16 - Ensure the host's IPC namespace is not shared +[PASS] 5.17 - Ensure host devices are not directly exposed to containers +[INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed +[INFO] * Container no default ulimit override: grafana +[INFO] * Container no default ulimit override: app-python +[INFO] * Container no default ulimit override: promtail +[INFO] * Container no default ulimit override: loki +[INFO] * Container no default ulimit override: prometheus +[PASS] 5.19 - Ensure mount propagation mode is not set to shared +[PASS] 5.20 - Ensure the host's UTS namespace is not shared +[PASS] 5.21 - Ensure the default seccomp profile is not Disabled +[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option +[NOTE] 5.23 - Ensure docker exec commands are not used with user option +[PASS] 5.24 - Ensure cgroup usage is confirmed +[WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges +[WARN] * Privileges not restricted: grafana +[WARN] * Privileges not restricted: app-python +[WARN] * Privileges not restricted: promtail +[WARN] * Privileges not restricted: loki +[WARN] * Privileges not restricted: prometheus +[WARN] 5.26 - Ensure container health is checked at runtime +[WARN] * Health check not set: promtail +[INFO] 5.27 - Ensure docker commands always get the latest version of the image +[WARN] 5.28 - Ensure PIDs cgroup limit is used +[WARN] * PIDs limit not set: grafana +[WARN] * PIDs limit not set: app-python +[WARN] * PIDs limit not set: promtail +[WARN] * PIDs limit not set: loki +[WARN] * PIDs limit not set: prometheus +[PASS] 5.29 - Ensure Docker's default bridge docker0 is not used +[PASS] 5.30 - Ensure the host's user namespaces is not shared +[WARN] 5.31 - Ensure the Docker socket is not mounted inside any containers +[WARN] * Docker socket shared: promtail + + +[INFO] 6 - Docker Security Operations +[INFO] 6.1 - Avoid image sprawl +[INFO] * There are currently: 21 images +[INFO] 6.2 - Avoid container sprawl +[INFO] * There are currently a total of 11 containers, with 6 of them currently running + + +[INFO] 7 - Docker Swarm Configuration +[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed +[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) +[PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled) +[PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network +[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled) +[PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled) +[PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) +[PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled) + +[INFO] Checks: 105 +[INFO] Score: 13 diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..91b99573 --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,9 @@ +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..d548d9a4 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1032 @@ + + +## Overview + + │ Analyzed Image +───────────────────┼────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 37cc73163c4c + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 11C 65H 30M 5L 7? + size │ 172 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 4C 0H 1M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 4H 1M 0L node 22.18.0 +pkg:generic/node@22.18.0 + + ✗ CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + + 1C 3H 1M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 4H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + + ✗ HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + + ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + + ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + + ✗ MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + ✗ LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + + ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + + ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + + ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + + ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + + ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + +118 vulnerabilities found in 48 packages + CRITICAL 11 + HIGH 65 + MEDIUM 30 + LOW 5 + UNSPECIFIED 7 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..4513f014 --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,255 @@ + +Testing bkimminich/juice-shop:v19.0.0... + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2025-69421 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.18-1~deb12u2 + +------------ Detected 5 vulnerabilities for node@22.18.0 ------------ + + +✗ High severity vulnerability found in node + Description: UNIX Symbolic Link (Symlink) Following + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ Critical severity vulnerability found in node + Description: Race Condition + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +Organization: fayz131 +Package manager: deb +Project name: docker-image|bkimminich/juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Platform: linux/amd64 +Target OS: Distroless +Licenses: enabled + +Tested 10 dependencies for known issues, found 6 issues. + +------------------------------------------------------- + +Testing bkimminich/juice-shop:v19.0.0... + +Tested 975 dependencies for known issues, found 47 issues. + + +Issues to fix by upgrading: + + Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix + ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s) + + Upgrade express@4.21.2 to express@4.22.0 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + + Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix + ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3 + introduced by express-jwt@0.1.3 + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0 + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade glob@10.4.5 to glob@12.0.0 to fix + ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5 + introduced by glob@10.4.5 and 1 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5 + introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix + ✗ Uncontrolled Recursion (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Resource after Effective Lifetime (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Incomplete Cleanup (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + + Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix + ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0 + introduced by pdfkit@0.11.0 > crypto-js@3.3.0 + + Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix + ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + + Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix + ✗ SQL Injection (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7 + introduced by sequelize@6.37.7 + + Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6 + introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2 + introduced by socket.io@3.1.2 + ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2 + introduced by socket.io@3.1.2 > engine.io@4.1.2 + + Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + + Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + +Issues with no direct upgrade or patch: + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2 + introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2 + No upgrade or patch available + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11 + introduced by marsdb@0.6.11 + No upgrade or patch available + ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15 + introduced by sequelize@6.37.7 > validator@13.15.15 + This issue was fixed in versions: 13.15.22 + ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.2 + ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.9.18 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + + + +Organization: fayz131 +Package manager: npm +Target file: /juice-shop/package.json +Project name: juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Licenses: enabled + + +Tested 2 projects, 2 contained vulnerable paths. + + + + + ERROR Forbidden (SNYK-CLI-0000) + The encountered error only provides basic information, please take a look at + the given details. If they do not help to resolve the issue, consider + debugging or consulting support. + + Forbidden + +Status: 403 Forbidden +Docs: https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0000 + +ID: urn:snyk:interaction:bdc237b1-e84a-4bc9-82ae-d9be72047c61 diff --git a/labs/submission1.md b/labs/submission1.md new file mode 100644 index 00000000..d65295db --- /dev/null +++ b/labs/submission1.md @@ -0,0 +1,183 @@ +# Lab 1 — OWASP Juice Shop & PR Workflow + +## Task 1 — Triage Report — OWASP Juice Shop + +# Triage Report — OWASP Juice Shop + +## Scope & Asset +- Asset: OWASP Juice Shop (local lab instance) +- Image: bkimminich/juice-shop:v19.0.0 +- Release link/date: https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0 — September 2024 +- Image digest (optional): *(not collected)* + +--- + +## Environment +- Host OS: Ubuntu Linux (VirtualBox VM, user: vboxuser, host: amirLinux) +- Docker version: 28.2.2 + +--- + +## Deployment Details + +Run command used: + +```bash +docker run -d --name juice-shop \ + -p 127.0.0.1:3000:3000 \ + bkimminich/juice-shop:v19.0.0 +``` + +Access URL: http://127.0.0.1:3000 + +Network exposure: 127.0.0.1 only — [x] Yes [ ] No + +Because the container port is bound explicitly to localhost + +## Health Check + +1. UI Check + +Navigated to http://127.0.0.1:3000 + +The OWASP Juice Shop UI loaded successfully + +Screenshot: labs/img/juice-home.jpg + +2. API Check + +Command executed: +```bash +curl -s http://127.0.0.1:3000/rest/products | head +``` + +Output: +```html + + + + Error: Unexpected path: /rest/products + + + ... + + +``` + +This confirms that: + +the backend is reachable, + +the request hits the application, + +but this specific version/route returns a generic error handler page — acceptable for triage documentation + + +## Surface Snapshot (Triage) + +Login/Registration visible: Yes +Notes: Login and Register shown in the top menu. + +Product listing/search present: Yes +Notes: Main page includes product cards + search bar. + +Admin/account area discoverable: Yes +Notes: Account menu and admin panel options visible in UI. + +Client-side console errors: No +Notes: No JS errors in browser DevTools. + +Security headers (quick look): +```bash +curl -I http://127.0.0.1:3000 +``` + +Notes: +Headers are minimal and lack CSP/HSTS/X-Frame-Options. +Expected for a deliberately insecure training application, but would be a serious issue in production + +## Risks Observed (Top 3) + +1. Verbose stack traces exposed to users. +/rest/products returns HTML containing internal error messages and detailed stack traces — dangerous information disclosure in real environments. + +2. Application could be accidentally exposed publicly. +If binded to 0.0.0.0 or deployed to a VPS, attackers could exploit Juice Shop’s intentional vulnerabilities. + +3. Large attack surface (auth, search, basket, admin). +Many user input points → higher risk of XSS, SQLi, IDOR, and broken authentication if this were a real e-commerce system + +## Task 2 - PR Template Setup & Verification + +PR Template Creation + +A pull request template was added at: +```bash +.github/pull_request_template.md +``` + +Template includes: + +Sections: Goal, Changes, Testing, Artifacts & Screenshots + +Checklist: + + PR title is clear and descriptive + + Documentation updated if needed + + No secrets, temporary files, or large binaries included + +This ensures consistent structure and quality across all lab submissions + +Template Application Verification + +Steps performed: + +1. Created a new branch: +```bash +git checkout -b feature/lab1 +``` + +2. Added the submission file and screenshot: +```bash +git add labs/submission1.md labs/img/juice-home.png +git commit -m "docs(lab1): add submission1 report" +git push -u origin feature/lab1 +``` + +3. Opened a pull request inside my fork (feature/lab1 → main) + +4. GitHub automatically applied the PR template: + +* Goal + +* Changes + +* Testing + +* Artifacts & Screenshots + +* 3-step Checklist + +5. Filled in the template with deployment/testing details + +How Templates Improve Collaboration + +Ensures every PR has a clear purpose and structure + +Reduces review time for instructors + +Prevents mistakes (missing docs, secrets, temp files) + +Standardizes workflow for all future labs + + +## Challenges & Solutions + +API endpoint returned HTML instead of JSON. +Resolved by analyzing server logs, confirming the backend is up, +and documenting the behaviour properly in the triage report. + +PR template not loading at first. +Fixed by committing the template on the main branch of my fork — required by GitHub diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..25bded91 --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,297 @@ +# Lab 7 — Container Security: Image Scanning & Deployment Hardening + +## Target Application + +- Image: `bkimminich/juice-shop:v19.0.0` + +--- + +## Task 1 — Image Vulnerability & Configuration Analysis + +### Docker Scout Vulnerability Analysis + +Docker Scout was used to scan the OWASP Juice Shop container image for known package vulnerabilities. + +Scan summary: +- Critical: **11** +- High: **65** +- Medium: **30** +- Low: **5** +- Unspecified: **7** + +The scan detected **48 vulnerable packages** with a total of **118 vulnerabilities**. This indicates a significant supply-chain risk due to outdated and vulnerable dependencies inside the image. + +### Top 5 Critical/High Vulnerabilities + +| CVE | Package | Severity | Impact | +|-----|---------|----------|--------| +| CVE-2026-22709 | `vm2` 3.9.17 | Critical | Protection mechanism failure with very high impact; may enable sandbox escape / remote code execution scenarios | +| CVE-2023-37903 | `vm2` 3.9.17 | Critical | OS command injection vulnerability | +| CVE-2023-37466 | `vm2` 3.9.17 | Critical | Code injection vulnerability | +| CVE-2025-55130 | `node` 22.18.0 | Critical | Vulnerable Node.js runtime affecting the application platform itself | +| CVE-2019-10744 | `lodash` 2.4.2 | Critical | Prototype pollution vulnerability that can impact application integrity | + +Additional notable high-risk packages included: +- `tar` +- `multer` +- `jsonwebtoken` +- `crypto-js` +- `sequelize` +- `ip` + +### Snyk Comparison + +Snyk was used as an additional scanner to compare results with Docker Scout. +It identified multiple high and critical vulnerabilities in both OS-level and npm dependencies, including issues in `node`, `vm2`, `multer`, `sequelize`, and `express-jwt`. + +Snyk also provided actionable remediation suggestions, such as upgrading: +- `node` to `22.22.0` +- `multer` to `2.1.1` +- `sequelize` to `6.37.8` +- `express-jwt` to `6.0.0` + +In general: +- **Docker Scout** is strongly integrated into Docker workflows and is convenient for image and SBOM-oriented vulnerability analysis. +- **Snyk** is useful for broader security platform workflows and policy-driven reporting. +- Both tools are valuable, but Docker Scout already provided enough detailed CVE evidence for this lab. + +### Dockle Configuration Findings + +Dockle did not report any **FATAL** or **WARN** findings for this image, but it reported several informational issues: + +- Docker content trust is not enabled +- No `HEALTHCHECK` instruction is present +- Unnecessary files exist in the image (for example `.DS_Store` files) + +These findings still matter because: +- missing **HEALTHCHECK** reduces runtime observability and recovery quality +- missing **content trust** weakens supply-chain assurance +- unnecessary files increase image noise and slightly increase attack surface / maintenance burden + +### Security Posture Assessment + +The image has a weak security posture from a vulnerability management perspective because it includes many outdated and vulnerable packages. + +Assessment: +- The image contains numerous critical/high vulnerabilities +- Dockle did not flag major runtime misconfigurations, but best practices are still missing +- The image would benefit from dependency cleanup and stronger image hardening + +Recommended improvements: +- update vulnerable npm and runtime dependencies +- rebuild the image regularly with patched base/runtime layers +- add a `HEALTHCHECK` +- enable content trust / signed image workflows +- remove unnecessary files from build output +- run the container as a non-root user if possible +- minimize package footprint and attack surface + +--- + +## Task 2 — Docker Host Security Benchmarking + +### CIS Docker Benchmark Summary + +Docker Bench Security results: + +- PASS: **40** +- WARN: **82** +- FAIL: **0** +- INFO: **88** + +The benchmark completed successfully. No direct `FAIL` findings were reported, but the large number of `WARN` entries shows that the Docker host and running environment still have many hardening gaps. + +### Analysis of Warnings + +Key warning areas included: + +- no separate partition for containers +- auditing not configured for Docker daemon/files +- network traffic on the default bridge not sufficiently restricted +- user namespace support not enabled +- authorization for Docker client commands not enabled +- centralized/remote logging not configured +- live restore not enabled +- userland proxy not disabled +- containers not restricted from acquiring new privileges +- Docker socket ownership issue +- many images missing `HEALTHCHECK` +- some containers running without CPU restrictions +- some containers using writable root filesystems +- wildcard host bindings (`0.0.0.0`) +- no PID limits on several containers +- Docker socket mounted into at least one container + +### Security Impact + +These warnings matter because they increase the blast radius of compromise and weaken defense in depth. For example: + +- missing auditing reduces incident visibility +- lack of user namespaces weakens isolation +- unrestricted host bindings expose services too broadly +- writable root filesystems help persistence after compromise +- missing PID / CPU limits increases denial-of-service risk +- mounting the Docker socket can enable container breakout or host control + +### Recommended Remediation Steps + +Recommended remediations: +- configure auditing for Docker daemon and critical Docker paths +- enable user namespace remapping +- restrict bridge/container networking more tightly +- enable centralized logging +- enable content trust and healthchecks where possible +- use `no-new-privileges` +- apply CPU, memory, and PID limits consistently +- avoid mounting Docker socket into containers +- bind services to specific interfaces instead of `0.0.0.0` +- consider read-only root filesystems for suitable containers + +--- + +## Task 3 — Deployment Security Configuration Analysis + +### Functionality Results + +All three profiles were tested for availability: + +- Default: **HTTP 200** +- Hardened: **HTTP 200** +- Production: **HTTP 200** + +This shows that the hardened runtime settings did not break the application in this environment. + +### Resource Usage Summary + +Observed memory usage: + +- Default: **99.86 MiB / 5.786 GiB** +- Hardened: **92.77 MiB / 512 MiB** +- Production: **91.29 MiB / 512 MiB** + +The hardened and production profiles successfully enforced memory limits, while the default profile used the host default limit. + +### Configuration Comparison Table + +| Profile | Capabilities | Security Options | Memory | CPU | PIDs | Restart Policy | +|--------|--------------|------------------|--------|-----|------|----------------| +| Default | Docker defaults | none | unlimited / host default | none | none | no | +| Hardened | `--cap-drop=ALL` | `no-new-privileges` | 512 MiB | set via `--cpus=1.0` | none | no | +| Production | `--cap-drop=ALL`, `--cap-add=NET_BIND_SERVICE` | `no-new-privileges` | 512 MiB | set via `--cpus=1.0` | 100 | `on-failure` | + +### Security Measure Analysis + +#### a) `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE` + +Linux capabilities split root privileges into smaller privilege units. +Dropping all capabilities removes a large set of privileged operations that a compromised process could otherwise abuse. + +Security benefit: +- reduces privilege escalation opportunities +- limits post-exploitation actions +- follows least-privilege design + +`NET_BIND_SERVICE` is added back only when low-port binding is needed. This is a much safer model than keeping default capabilities. + +#### b) `--security-opt=no-new-privileges` + +This prevents processes from gaining additional privileges after container start, for example through setuid/setgid binaries. + +Security benefit: +- helps stop privilege escalation inside the container +- limits abuse after code execution compromise + +Downside: +- some applications that rely on privilege transitions may not work correctly + +#### c) `--memory=512m` and `--cpus=1.0` + +Without limits, a container can consume excessive host resources and affect availability of other workloads. + +Security benefit: +- reduces denial-of-service impact +- contains runaway memory/CPU consumption +- protects multi-container hosts from noisy-neighbor effects + +Risk if limits are too low: +- application instability +- restarts +- degraded performance + +#### d) `--pids-limit=100` + +A fork bomb is an attack or failure mode where processes recursively create more processes until the system becomes unusable. + +Security benefit: +- limits process explosion +- reduces host resource exhaustion risk + +The correct PID limit depends on the application’s process model and expected concurrency. + +#### e) `--restart=on-failure:3` + +This restart policy restarts the container only after failure, and only up to a limited number of times. + +Security benefit: +- improves resilience during transient failures +- avoids endless restart loops better than `always` + +Comparison: +- `on-failure` is safer for crash analysis and controlled recovery +- `always` may hide recurring faults and create restart loops + +### Critical Thinking + +**Which profile is best for development? Why?** +The **default** or **hardened** profile is more suitable for development. Default is easiest for debugging, while hardened adds useful protections without too much operational complexity. In practice, hardened is the better security-aware development baseline. + +**Which profile is best for production? Why?** +The **production** profile is the best choice because it applies least privilege, memory limits, PID limits, and restart control. It provides stronger containment if the application is exploited. + +**What real-world problem do resource limits solve?** +They reduce the impact of denial-of-service conditions, runaway processes, memory exhaustion, and unfair resource consumption on shared hosts. + +**If an attacker exploits Default vs Production, what actions are blocked in Production?** +Production better restricts: +- privilege-related operations due to dropped capabilities +- privilege escalation due to `no-new-privileges` +- process explosion due to PID limit +- resource abuse due to memory/CPU constraints +- uncontrolled restart behavior due to limited restart policy + +**What additional hardening would you add?** +Additional recommended hardening: +- run as non-root +- use read-only root filesystem where possible +- add explicit seccomp profile support +- restrict networking further +- add healthchecks +- use signed images / attestations +- reduce package footprint +- mount only required volumes with minimal permissions + +### Note on seccomp + +The intended production profile originally included an explicit `seccomp=default` setting. In this environment, Docker rejected that literal option and treated it as a missing file path. To complete the deployment comparison successfully, the production profile was re-run without the explicit seccomp flag. + +The recommendation remains the same: in a real production environment, Docker’s default seccomp profile or a custom hardened seccomp profile should be enabled. + +--- + +## Conclusion + +This lab showed that container security depends on both **image security** and **runtime hardening**. + +Key conclusions: +- the Juice Shop image contains a large number of critical/high vulnerabilities +- Docker Bench revealed many host/container hardening warnings even without direct FAIL findings +- runtime hardening flags significantly improve containment without breaking application functionality +- the production-style profile offers the best balance for real deployment security + +A secure container deployment should combine: +- regular vulnerability scanning +- host hardening +- strict runtime controls +- least privilege +- resource limits +- secure supply-chain practices