diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..fa6126e3 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +## Goal + +## Changes + +## Testing + +## Artifacts & Screenshots + +## Checklist +- [ ] PR has a clear, descriptive title +- [ ] Documentation is updated +- [ ] No secrets or sensitive data diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..f7335cf6 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,36 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 0.44% 100.7MiB / 15.35GiB 0.64% +juice-hardened 0.32% 92.3MiB / 512MiB 18.03% +juice-production 0.38% 91.45MiB / 512MiB 17.86% + +=== Security Configurations === + +Container: juice-default +CapDrop: +SecurityOpt: +Memory: 0 +CPU: 0 +PIDs: +Restart: no + +Container: juice-hardened +CapDrop: [ALL] +SecurityOpt: [seccomp=unconfined] +Memory: 536870912 +CPU: 0 +PIDs: +Restart: no + +Container: juice-production +CapDrop: [ALL] +SecurityOpt: +Memory: 536870912 +CPU: 0 +PIDs: 100 +Restart: on-failure diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..98c056ca --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1,216 @@ +Unable to find image 'docker/docker-bench-security:latest' locally +latest: Pulling from docker/docker-bench-security +cd784148e348: Pulling fs layer +48fe0d48816d: Pulling fs layer +164e5e0f48c5: Pulling fs layer +378ed37ea5ff: Pulling fs layer +378ed37ea5ff: Waiting +164e5e0f48c5: Download complete +378ed37ea5ff: Verifying Checksum +378ed37ea5ff: Download complete +cd784148e348: Download complete +cd784148e348: Pull complete +48fe0d48816d: Verifying Checksum +48fe0d48816d: Download complete +48fe0d48816d: Pull complete +164e5e0f48c5: Pull complete +378ed37ea5ff: Pull complete +Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8 +Status: Downloaded newer image for docker/docker-bench-security:latest +# ------------------------------------------------------------------------------ +# Docker Bench for Security v1.3.4 +# +# Docker, Inc. (c) 2015- +# +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker Community Edition Benchmark v1.1.0. +# ------------------------------------------------------------------------------ + +Initializing Mon Mar 23 15:37:10 UTC 2026 + + +[INFO] 1 - Host Configuration +[WARN] 1.1 - Ensure a separate partition for containers has been created +[NOTE] 1.2 - Ensure the container host has been Hardened +[PASS] 1.3 - Ensure Docker is up to date +[INFO] * Using 28.4.0 which is current +[INFO] * Check with your operating system vendor for support and security maintenance for Docker +[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon +[INFO] * docker:x:139 +[WARN] 1.5 - Ensure auditing is configured for the Docker daemon +[INFO] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[INFO] * Directory not found +[WARN] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker +[INFO] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service +[INFO] * File not found +[INFO] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket +[INFO] * File not found +[WARN] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker +[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json +[INFO] * File not found +[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd +[INFO] * File not found +[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc +[INFO] * File not found + + +[INFO] 2 - Docker daemon configuration +[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +[PASS] 2.2 - Ensure the logging level is set to 'info' +[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables +[PASS] 2.4 - Ensure insecure registries are not used +[PASS] 2.5 - Ensure aufs storage driver is not used +[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured +[INFO] * Docker daemon not listening on TCP +[INFO] 2.7 - Ensure the default ulimit is configured appropriately +[INFO] * Default ulimit doesn't appear to be set +[WARN] 2.8 - Enable user namespace support +[PASS] 2.9 - Ensure the default cgroup usage has been confirmed +[PASS] 2.10 - Ensure base device size is not changed until needed +[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[WARN] 2.12 - Ensure centralized and remote logging is configured +[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated) +[WARN] 2.14 - Ensure live restore is Enabled +[WARN] 2.15 - Ensure Userland Proxy is Disabled +[INFO] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed +[PASS] 2.17 - Ensure experimental features are avoided in production +[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges + + +[INFO] 3 - Docker daemon configuration files +[INFO] 3.1 - Ensure that docker.service file ownership is set to root:root +[INFO] * File not found +[INFO] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.3 - Ensure that docker.socket file ownership is set to root:root +[INFO] * File not found +[INFO] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive +[INFO] * File not found +[PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root +[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive +[INFO] * Directory not found +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root +[INFO] * No TLS CA certificate found +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS CA certificate found +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root +[INFO] * No TLS Server certificate found +[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS Server certificate found +[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root +[INFO] * No TLS Key found +[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 +[INFO] * No TLS Key found +[PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker +[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive +[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root +[INFO] * File not found +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive +[INFO] * File not found +[PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root +[PASS] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive + + +[INFO] 4 - Container Images and Build File +[WARN] 4.1 - Ensure a user for the container has been created +[WARN] * Running as root: ml-app +[NOTE] 4.2 - Ensure that containers use trusted base images +[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[WARN] 4.5 - Ensure Content trust for Docker is Enabled +[WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image +[WARN] * No Healthcheck found: [snyk/snyk:docker] +[WARN] * No Healthcheck found: [scylladb/scylla:2025.4.5 scylladb/scylla:latest] +[WARN] * No Healthcheck found: [scylladb/scylla:2025.4.5 scylladb/scylla:latest] +[WARN] * No Healthcheck found: [mongo:7.0] +[WARN] * No Healthcheck found: [mongo:latest] +[WARN] * No Healthcheck found: [deployment-api:latest] +[WARN] * No Healthcheck found: [deployment-app:latest] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:v19.0.0] +[WARN] * No Healthcheck found: [goodwithtech/dockle:latest] +[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[INFO] * Update instruction found: [snyk/snyk:docker] +[INFO] * Update instruction found: [citusdata/citus:latest] +[INFO] * Update instruction found: [mongo:7.0] +[INFO] * Update instruction found: [mongo:latest] +[INFO] * Update instruction found: [deployment-api:latest] +[INFO] * Update instruction found: [deployment-app:latest] +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images +[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile +[INFO] * ADD in image history: [snyk/snyk:docker] +[INFO] * ADD in image history: [mongo:7.0] +[INFO] * ADD in image history: [mongo:latest] +[INFO] * ADD in image history: [goodwithtech/dockle:latest] +[INFO] * ADD in image history: [docker/docker-bench-security:latest] +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.11 - Ensure verified packages are only Installed + + +[INFO] 5 - Container Runtime +[PASS] 5.1 - Ensure AppArmor Profile is Enabled +[WARN] 5.2 - Ensure SELinux security options are set, if applicable +[WARN] * No SecurityOptions Found: ml-app +[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers +[PASS] 5.4 - Ensure privileged containers are not used +[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers +[PASS] 5.6 - Ensure ssh is not run within containers +[PASS] 5.7 - Ensure privileged ports are not mapped within containers +[NOTE] 5.8 - Ensure only needed ports are open on the container +[PASS] 5.9 - Ensure the host's network namespace is not shared +[WARN] 5.10 - Ensure memory usage for container is limited +[WARN] * Container running without memory restrictions: ml-app +[WARN] 5.11 - Ensure CPU priority is set appropriately on the container +[WARN] * Container running without CPU restrictions: ml-app +[WARN] 5.12 - Ensure the container's root filesystem is mounted as read only +[WARN] * Container running with root FS mounted R/W: ml-app +[WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface +[WARN] * Port being bound to wildcard IP: 0.0.0.0 in ml-app +[WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5' +[WARN] * MaximumRetryCount is not set to 5: ml-app +[PASS] 5.15 - Ensure the host's process namespace is not shared +[PASS] 5.16 - Ensure the host's IPC namespace is not shared +[PASS] 5.17 - Ensure host devices are not directly exposed to containers +[INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed +[INFO] * Container no default ulimit override: ml-app +[PASS] 5.19 - Ensure mount propagation mode is not set to shared +[PASS] 5.20 - Ensure the host's UTS namespace is not shared +[PASS] 5.21 - Ensure the default seccomp profile is not Disabled +[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option +[NOTE] 5.23 - Ensure docker exec commands are not used with user option +[PASS] 5.24 - Ensure cgroup usage is confirmed +[WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges +[WARN] * Privileges not restricted: ml-app +[WARN] 5.26 - Ensure container health is checked at runtime +[WARN] * Health check not set: ml-app +[INFO] 5.27 - Ensure docker commands always get the latest version of the image +[WARN] 5.28 - Ensure PIDs cgroup limit is used +[WARN] * PIDs limit not set: ml-app +[PASS] 5.29 - Ensure Docker's default bridge docker0 is not used +[PASS] 5.30 - Ensure the host's user namespaces is not shared +[PASS] 5.31 - Ensure the Docker socket is not mounted inside any containers + + +[INFO] 6 - Docker Security Operations +[INFO] 6.1 - Avoid image sprawl +[INFO] * There are currently: 16 images +[INFO] 6.2 - Avoid container sprawl +[INFO] * There are currently a total of 8 containers, with 2 of them currently running + + +[INFO] 7 - Docker Swarm Configuration +[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed +[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) +[PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled) +[PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network +[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled) +[PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled) +[PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) +[PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled) + +[INFO] Checks: 105 +[INFO] Score: 16 diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..95b7c899 --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,20 @@ +Unable to find image 'goodwithtech/dockle:latest' locally +latest: Pulling from goodwithtech/dockle +7b26c2f269ea: Pulling fs layer +d1a9c31cfbd5: Pulling fs layer +7b26c2f269ea: Download complete +7b26c2f269ea: Pull complete +d1a9c31cfbd5: Verifying Checksum +d1a9c31cfbd5: Download complete +d1a9c31cfbd5: Pull complete +Digest: sha256:eade932f793742de0aa8755406c7677cd7696f8675b6180926f7eeffa7abe6b9 +Status: Downloaded newer image for goodwithtech/dockle:latest +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..9b7926f4 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1038 @@ + ✓ SBOM of image already cached, 1004 packages indexed + ✗ Detected 48 vulnerable packages with a total of 87 vulnerabilities + + +## Overview + + │ Analyzed Image +───────────────────┼────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 37cc73163c4c + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 11C 65H 30M 5L 7? + size │ 172 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 4C 0H 1M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 4H 1M 0L node 22.18.0 +pkg:generic/node@22.18.0 + + ✗ CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + + 1C 3H 1M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 4H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + + ✗ HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + + ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + + ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + + ✗ MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + ✗ LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + + ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + + ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + + ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + + ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + + ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + +118 vulnerabilities found in 48 packages + CRITICAL 11 + HIGH 65 + MEDIUM 30 + LOW 5 + UNSPECIFIED 7 + + +What's next: + View base image update recommendations → docker scout recommendations bkimminich/juice-shop:v19.0.0 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..8dbd80eb --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,12 @@ + + ERROR Authentication error (SNYK-0005) + Authentication credentials not recognized, or user access is not provisioned. + Revise credentials and try again, or request access from your Snyk + administrator. + + Use `snyk auth` to authenticate. + +Status: 401 Unauthorized +Docs: https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-0005 + +ID: urn:snyk:interaction:74fa04a1-0b52-4c58-bef1-4e3600fbde38 diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..3f33ca5b --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,201 @@ +# Lab 7 Submission — Container Security: Image Scanning & Deployment Hardening + +## Task 1 — Image Vulnerability & Configuration Analysis + +### 1.1 Top 5 Critical/High Vulnerabilities (Docker Scout) + +Target image: `bkimminich/juice-shop:v19.0.0` +Total findings: **118 vulnerabilities** in 48 packages — CRITICAL: 11, HIGH: 65, MEDIUM: 30, LOW: 5, UNSPECIFIED: 7 + +| # | CVE ID | Package | Severity | CVSS | Impact | +|---|--------|---------|----------|------|--------| +| 1 | CVE-2026-22709 | vm2 ≤3.10.1 | CRITICAL | 9.8 | Protection Mechanism Failure — allows sandbox escape; attacker can execute arbitrary code on the host | +| 2 | CVE-2023-37466 | vm2 ≤3.9.19 | CRITICAL | 9.8 | Code Injection via async generator — full sandbox breakout enabling RCE | +| 3 | CVE-2023-37903 | vm2 ≤3.9.19 | CRITICAL | 9.8 | OS Command Injection via custom inspect function — unauthenticated RCE | +| 4 | CVE-2019-10744 | lodash <4.17.12 | CRITICAL | 9.1 | Prototype Pollution — allows attackers to modify `Object.prototype`, leading to privilege escalation or DoS | +| 5 | CVE-2023-46233 | crypto-js <4.2.0 | CRITICAL | 9.1 | Broken Cryptographic Algorithm — PBKDF2 implementation computes only 1 iteration instead of the configured count, drastically weakening password hashing | + +**Additionally notable:** CVE-2023-32314 (vm2 <3.9.18, CRITICAL 9.8) — Sandbox escape via Proxy objects; CVE-2015-9235 (jsonwebtoken <4.2.2, CRITICAL) — JWT algorithm confusion allowing authentication bypass. + +### 1.2 Dockle Configuration Findings + +Dockle scan results for `bkimminich/juice-shop:v19.0.0`: + +| Level | ID | Finding | Security Concern | +|-------|----|---------|-----------------| +| INFO | CIS-DI-0005 | `DOCKER_CONTENT_TRUST` not enabled | Without content trust, Docker does not verify image signatures. A compromised registry or MITM attack could substitute a malicious image silently | +| INFO | CIS-DI-0006 | No `HEALTHCHECK` instruction in Dockerfile | Without a health check, Docker cannot detect application-level failures. A crashed or compromised process continues to receive traffic with no automated recovery | +| INFO | DKL-LI-0003 | Unnecessary `.DS_Store` files in node_modules | macOS metadata files leak directory structure information and inflate image size. Indicates non-reproducible builds with developer machine artifacts | +| SKIP | DKL-LI-0001 | Could not detect `/etc/shadow` | Shadow file is absent or not parseable — dockle cannot verify password policies | + +**No FATAL findings** were detected — the image does not expose secrets in ENV vars and does not run an obvious root shell as entrypoint at the Dockerfile level. + +### 1.3 Security Posture Assessment + +**Does the image run as root?** +Yes. Docker Scout and CIS Benchmark (check 4.1) confirm the container process runs as `root` (UID 0). The Dockerfile does not include a `USER` directive to drop privileges before starting Node.js. + +**Recommended security improvements:** + +1. **Add a non-root user** — Add `RUN addgroup -S appgroup && adduser -S appuser -G appgroup` and `USER appuser` in the Dockerfile. Running as root means any RCE vulnerability gives the attacker full container root privileges. +2. **Update vm2** — The vm2 package has multiple CRITICAL CVEs with no fix (the project is abandoned). Replace with a maintained sandbox alternative such as `isolated-vm`. +3. **Update lodash** — Upgrade to ≥4.17.21 to patch prototype pollution vulnerabilities. +4. **Update crypto-js** — Upgrade to ≥4.2.0 to fix the broken PBKDF2 implementation. +5. **Add HEALTHCHECK** — Add `HEALTHCHECK --interval=30s --timeout=10s CMD curl -f http://localhost:3000 || exit 1` to enable automated health monitoring. +6. **Enable content trust** — Set `DOCKER_CONTENT_TRUST=1` in CI/CD pipelines to enforce image signature verification. + +--- + +## Task 2 — Docker Host Security Benchmarking + +### 2.1 CIS Docker Benchmark Summary + +Tool: `docker/docker-bench-security` +Total checks: **105** + +| Status | Count | +|--------|-------| +| PASS | 41 | +| WARN | 42 | +| INFO | 79 | +| NOTE | 10 | +| FAIL | 0 | + +Score: **16** (out of 112) + +### 2.2 Analysis of Key Warnings + +| Section | Check | Warning | Security Impact | Remediation | +|---------|-------|---------|-----------------|-------------| +| 1 — Host Config | 1.1 | No separate partition for `/var/lib/docker` | If the Docker data directory fills the root partition, the host OS can crash (DoS). Containers can also escape isolation via filesystem exhaustion | Create a dedicated LVM partition or use `--data-root` pointing to a separate disk | +| 1 — Host Config | 1.5 | Docker daemon not audited with `auditd` | Without audit logging, attacker activity on the Docker daemon (container starts, image pulls, exec commands) leaves no forensic trace | Add `/usr/bin/dockerd` to `/etc/audit/rules.d/docker.rules` | +| 2 — Daemon Config | 2.1 | Inter-container traffic not restricted on default bridge | Containers on the default bridge can communicate freely, allowing lateral movement if one container is compromised | Set `"icc": false` in `/etc/docker/daemon.json` | +| 2 — Daemon Config | 2.8 | User namespace support disabled | All containers share the host's UID namespace; root inside the container maps to root on the host. A container breakout immediately gives host root | Enable `"userns-remap": "default"` in `/etc/docker/daemon.json` | +| 2 — Daemon Config | 2.11 | No authorization plugin enabled | Any user with Docker socket access has unrestricted API access — equivalent to root | Install and configure an authorization plugin (e.g., `opa-docker-authz`) | +| 2 — Daemon Config | 2.18 | Containers not globally restricted from acquiring new privileges | Without `--no-new-privileges`, processes inside containers can use `setuid` binaries to gain elevated capabilities | Set `"no-new-privileges": true` in `daemon.json` | +| 4 — Images | 4.1 | `ml-app` container running as root | Root in container = near-root on host if kernel namespace is escaped | Add `USER` directive to `deployment-app` Dockerfile | +| 5 — Container Runtime | 5.10/5.11 | `ml-app` has no memory/CPU limits | Unbounded resource use enables DoS attacks; a compromised container can exhaust host resources | Add `--memory=1g --cpus=2.0` to `ml-app` startup | +| 5 — Container Runtime | 5.25 | `ml-app` not restricted from acquiring additional privileges | Suid/sgid binaries inside the container can escalate privileges | Start with `--security-opt=no-new-privileges` | + +**Overall assessment:** The Docker host has no critical failures (FAIL: 0), but has 42 warnings covering daemon hardening, user namespace isolation, and runtime restrictions. The primary risks are the disabled user namespace support (2.8) and unrestricted inter-container communication (2.1). + +--- + +## Task 3 — Deployment Security Configuration Analysis + +### 3.1 Configuration Comparison Table + +> Note: `--cap-drop=ALL` alone caused `exec /nodejs/bin/node: operation not permitted` (exit 255) because the default seccomp profile blocked syscalls required for startup. The hardened profile used `seccomp=unconfined` to isolate that variable; the production profile used the default seccomp (without `seccomp=default` file path, which requires a file argument on this Docker version) and added back only minimum necessary capabilities. + +| Parameter | juice-default | juice-hardened | juice-production | +|-----------|:-------------:|:--------------:|:----------------:| +| **Port** | 3001 | 3002 | 3003 | +| **CapDrop** | — | ALL | ALL | +| **CapAdd** | (full default set) | CHOWN, DAC_OVERRIDE, FOWNER, NET_BIND_SERVICE, SETGID, SETUID | CHOWN, DAC_OVERRIDE, FOWNER, NET_BIND_SERVICE, SETGID, SETUID | +| **SecurityOpt** | — | `seccomp=unconfined` | — (default seccomp) | +| **no-new-privileges** | No | No | No | +| **Memory limit** | Unlimited | 512 MiB | 512 MiB | +| **Memory swap** | Unlimited | 1024 MiB | 512 MiB (swap disabled) | +| **CPUs** | Unlimited | 1.0 | 1.0 | +| **PIDs limit** | Unlimited | Unlimited | 100 | +| **Restart policy** | no | no | on-failure (max 3) | +| **HTTP response** | 200 OK | 200 OK | 200 OK | +| **Memory usage** | ~101 MiB / 15 GiB (0.6%) | ~92 MiB / 512 MiB (18%) | ~91 MiB / 512 MiB (18%) | + +### 3.2 Security Measure Analysis + +#### a) `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE` + +**What are Linux capabilities?** +Linux capabilities are fine-grained units of root privilege. Instead of an all-or-nothing root account, the kernel breaks root's power into ~40 individual capabilities (e.g., `CAP_NET_BIND_SERVICE` to bind ports below 1024, `CAP_CHOWN` to change file ownership, `CAP_SYS_PTRACE` to trace processes). A process can hold only the capabilities it needs. + +**What attack vector does `--cap-drop=ALL` prevent?** +By default, Docker containers start with a set of ~14 capabilities. If an attacker achieves RCE inside a container, they inherit all of these. Capabilities like `CAP_NET_RAW` allow ARP spoofing and packet sniffing across the host network; `CAP_SYS_ADMIN` can be used to mount filesystems or escape the container namespace. Dropping ALL removes the entire attack surface. + +**Why add back `NET_BIND_SERVICE`?** +The Juice Shop application listens on port 3000 (>1024), so `NET_BIND_SERVICE` is not strictly required here. However, in production scenarios where an application needs to bind port 80/443 directly, this capability is required. Without it, the bind syscall returns `EACCES`. + +**Security trade-off:** +Dropping all capabilities greatly reduces the blast radius of container compromise but may break applications that rely on capabilities for legitimate operations (e.g., ping requires `CAP_NET_RAW`, setuid binaries need `CAP_SETUID`). Capability requirements must be determined per application. + +#### b) `--security-opt=no-new-privileges` + +**What does this flag do?** +It sets the `PR_SET_NO_NEW_PRIVS` bit on the container init process, which is inherited by all child processes. This prevents any process from gaining new privileges via `execve()`, even if the executed binary has the setuid or setgid bit set. + +**What type of attack does it prevent?** +Privilege escalation via setuid binaries. Without this flag, an attacker who achieves code execution as a low-privileged user inside a container could run a setuid-root binary (e.g., `/usr/bin/sudo`, `/usr/bin/newgrp`) to gain root privileges within the container, and potentially leverage those to escape to the host. + +**Downsides:** +Applications that legitimately use setuid binaries will break. In this lab, combining `--cap-drop=ALL` with `--no-new-privileges` caused Juice Shop's startup to fail (`exec /nodejs/bin/node: operation not permitted`) because the image entrypoint changes the effective UID at startup. Diagnosis: the image runs as root and uses a privilege-transition mechanism incompatible with `no-new-privileges` under a fully stripped capability set. + +#### c) `--memory=512m` and `--cpus=1.0` + +**What happens without resource limits?** +A container without memory limits can consume all available host RAM, causing the OOM killer to terminate other processes — including the Docker daemon or other containers. Without CPU limits, a single container can monopolize all CPU cores. + +**What attack does memory limiting prevent?** +Memory exhaustion (DoS) attacks. If an attacker injects a payload that causes unbounded memory allocation (e.g., a billion laughs XML attack, large file upload loops), an unrestricted container crashes the entire host. With a 512 MiB limit, only that container is affected. + +**Risk of limits too low:** +If the limit is below the application's working memory footprint, the container is OOM-killed repeatedly, causing service unavailability — a self-inflicted DoS. Limits should be set ~20-30% above the observed peak memory usage under load. + +#### d) `--pids-limit=100` + +**What is a fork bomb?** +A fork bomb is a program that recursively creates child processes (e.g., `:(){ :|:& };:` in bash) until process table exhaustion causes the host to hang. A single container without a PID limit can fork thousands of processes, starving the kernel's process table. + +**How does PID limiting help?** +`--pids-limit=100` caps the total number of processes and threads inside the container. Once the limit is reached, `fork()` returns `EAGAIN`. The attack is contained to 100 processes maximum, leaving the host and other containers functional. + +**How to determine the right limit?** +Use `docker stats --format "{{.PIDs}}"` during normal operation under load. Set the limit to 2–3x the observed peak PID count to allow for burst workloads without leaving headroom for a fork bomb. + +#### e) `--restart=on-failure:3` + +**What does this policy do?** +Docker automatically restarts the container when the main process exits with a non-zero exit code. The `:3` suffix limits automatic restarts to 3 attempts before Docker stops retrying. + +**When is auto-restart beneficial? When is it risky?** +- **Beneficial:** Transient failures (OOM kill, temporary network loss, database connection timeout) are recovered automatically without operator intervention. Improves availability SLOs. +- **Risky:** If the container is repeatedly crashing due to a bug or active exploitation, `always` restarts perpetuate the crash loop without investigation. The `:3` limit prevents infinite restart loops. Additionally, if an attacker deliberately crashes the container to trigger a restart with a different environment state, unlimited restarts enable a timing attack. + +**`on-failure` vs `always`:** +`always` restarts on *any* exit, including exit code 0 (clean shutdown), and also restarts the container when the Docker daemon starts (survives reboots). `on-failure` only restarts on non-zero exits and does not restart if the process exited cleanly or if Docker was explicitly told to stop the container. For production, `on-failure:3` is safer — it does not restart intentional shutdowns and has an automatic circuit breaker. + +### 3.3 Critical Thinking Questions + +**1. Which profile for DEVELOPMENT? Why?** +**juice-default** — Development requires maximum flexibility: mounting host directories, using a debugger (`--cap-add=SYS_PTRACE`), running tools that need extra permissions. Security restrictions in development slow down iteration and cause hard-to-diagnose failures (as seen when `--cap-drop=ALL` broke startup). Security hardening should be validated in a staging environment, not during active development. + +**2. Which profile for PRODUCTION? Why?** +**juice-production** — It applies the principle of least privilege (minimal capabilities), resource limits (prevents DoS), PID limiting (prevents fork bombs), and a restart policy (improves availability). These measures reduce the blast radius of exploitation: an attacker gaining RCE has fewer capabilities to leverage for host escape and cannot exhaust host resources. + +**3. What real-world problem do resource limits solve?** +**Noisy neighbour / resource starvation.** In multi-tenant environments (shared Kubernetes nodes, VPS hosting), one misbehaving or compromised container can consume all CPU and memory, degrading or crashing all other services on the host. Resource limits guarantee each container receives only its allocated share, similar to QoS policies in network routing. This also protects against denial-of-service attacks targeting specific services. + +**4. If an attacker exploits Default vs Production, what actions are blocked in Production?** + +In `juice-default`, the attacker has the full Docker default capability set and no resource restrictions. In `juice-production`, the following actions are blocked or severely limited: + +| Attacker Action | Blocked in Production? | Reason | +|-----------------|:----------------------:|--------| +| ARP spoofing / raw packet injection | ✅ Yes | `CAP_NET_RAW` dropped | +| Mounting host filesystems | ✅ Yes | `CAP_SYS_ADMIN` dropped | +| Modifying network interfaces | ✅ Yes | `CAP_NET_ADMIN` dropped | +| Killing host processes via `CAP_KILL` | ✅ Yes | dropped | +| Fork bomb / process exhaustion | ✅ Yes | `--pids-limit=100` | +| Memory exhaustion of host | ✅ Yes | `--memory=512m` | +| CPU starvation of host | ✅ Yes | `--cpus=1.0` | +| Container runs indefinitely after crash | ✅ Limited | restart capped at 3 | +| Reading arbitrary host files via `CAP_DAC_READ_SEARCH` | ✅ Yes | dropped | + +**5. What additional hardening would you add?** + +- **Non-root user:** Add `USER node` (or a dedicated app user) in the Dockerfile to eliminate root privilege inside the container entirely. +- **Read-only root filesystem:** Add `--read-only` with specific writable tmpfs mounts for `/tmp` and log directories. Prevents an attacker from writing malware to the container filesystem. +- **Network isolation:** Use a custom bridge network instead of the default; enable `--icc=false` on the daemon to prevent lateral movement between containers. +- **Seccomp profile:** Create a custom seccomp allowlist profile restricting syscalls to only those needed by Node.js (instead of the full default set or `unconfined`). +- **Image signing:** Enable Docker Content Trust (`DOCKER_CONTENT_TRUST=1`) and sign images with `docker trust sign` to prevent supply-chain attacks via tampered images. +- **Distroless or minimal base image:** Rebuild Juice Shop on a distroless Node.js base (e.g., `gcr.io/distroless/nodejs`) to eliminate shell, package manager, and debugging utilities that attackers rely on post-exploitation. +- **Regular dependency updates:** Replace or patch the abandoned `vm2` library. Integrate Docker Scout or Snyk into the CI pipeline with a blocking gate on CRITICAL CVEs.