diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..4b78ccd3 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,19 @@ +## Goal +Describe the goal of this PR + +## Changes +- Change 1 +- Change 2 + +## Testing +Explain how this was tested + +## Artifacts & Screenshots +Attach screenshots or logs + +--- + +### Checklist +- [ ] Clear PR title +- [ ] Documentation updated if needed +- [ ] No secrets or large temporary files diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..7fd1f557 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,723 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 +CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS +ef5b252961ae juice-production 0.26% 95.47MiB / 512MiB 18.65% 2.3kB / 76.8kB 0B / 0B 11 +bab0b9fa63e5 juice-hardened 0.16% 94.71MiB / 512MiB 18.50% 2.47kB / 76.8kB 0B / 0B 11 +e21c01796e4e juice-default 0.19% 111.5MiB / 7.616GiB 1.43% 3.81kB / 153kB 0B / 0B 11 +Container: juice-default +[ + { + "Id": "e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b", + "Created": "2026-03-26T04:53:20.39345427Z", + "Path": "/nodejs/bin/node", + "Args": [ + "/juice-shop/build/app.js" + ], + "State": { + "Status": "running", + "Running": true, + "Paused": false, + "Restarting": false, + "OOMKilled": false, + "Dead": false, + "Pid": 5086, + "ExitCode": 0, + "Error": "", + "StartedAt": "2026-03-26T04:53:20.546697433Z", + "FinishedAt": "0001-01-01T00:00:00Z" + }, + "Image": "sha256:37cc73163c4c269c044e890fee868d62637109cad126a26dab13dc442ef2ae76", + "ResolvConfPath": "/var/lib/docker/containers/e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b/resolv.conf", + "HostnamePath": "/var/lib/docker/containers/e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b/hostname", + "HostsPath": "/var/lib/docker/containers/e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b/hosts", + "LogPath": "/var/lib/docker/containers/e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b/e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b-json.log", + "Name": "/juice-default", + "RestartCount": 0, + "Driver": "overlay2", + "Platform": "linux", + "MountLabel": "", + "ProcessLabel": "", + "AppArmorProfile": "", + "ExecIDs": null, + "HostConfig": { + "Binds": null, + "ContainerIDFile": "", + "LogConfig": { + "Type": "json-file", + "Config": {} + }, + "NetworkMode": "bridge", + "PortBindings": { + "3000/tcp": [ + { + "HostIp": "", + "HostPort": "3001" + } + ] + }, + "RestartPolicy": { + "Name": "no", + "MaximumRetryCount": 0 + }, + "AutoRemove": false, + "VolumeDriver": "", + "VolumesFrom": null, + "ConsoleSize": [ + 0, + 0 + ], + "CapAdd": null, + "CapDrop": null, + "CgroupnsMode": "host", + "Dns": [], + "DnsOptions": [], + "DnsSearch": [], + "ExtraHosts": null, + "GroupAdd": null, + "IpcMode": "private", + "Cgroup": "", + "Links": null, + "OomScoreAdj": 0, + "PidMode": "", + "Privileged": false, + "PublishAllPorts": false, + "ReadonlyRootfs": false, + "SecurityOpt": null, + "UTSMode": "", + "UsernsMode": "", + "ShmSize": 67108864, + "Runtime": "runc", + "Isolation": "", + "CpuShares": 0, + "Memory": 0, + "NanoCpus": 0, + "CgroupParent": "", + "BlkioWeight": 0, + "BlkioWeightDevice": [], + "BlkioDeviceReadBps": [], + "BlkioDeviceWriteBps": [], + "BlkioDeviceReadIOps": [], + "BlkioDeviceWriteIOps": [], + "CpuPeriod": 0, + "CpuQuota": 0, + "CpuRealtimePeriod": 0, + "CpuRealtimeRuntime": 0, + "CpusetCpus": "", + "CpusetMems": "", + "Devices": [], + "DeviceCgroupRules": null, + "DeviceRequests": null, + "MemoryReservation": 0, + "MemorySwap": 0, + "MemorySwappiness": null, + "OomKillDisable": false, + "PidsLimit": null, + "Ulimits": [], + "CpuCount": 0, + "CpuPercent": 0, + "IOMaximumIOps": 0, + "IOMaximumBandwidth": 0, + "MaskedPaths": [ + "/proc/asound", + "/proc/acpi", + "/proc/interrupts", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + "/sys/devices/virtual/powercap" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "GraphDriver": { + "Data": { + "ID": "e21c01796e4effd3ad4ae83d434f50f47ee2ba5f35a37e1ca6e0d3cd605a7b1b", + "LowerDir": "/var/lib/docker/overlay2/ddd22622ed36893a2cdd0c110a00b2da08cee514db41f9aa0175d2423d4f211a-init/diff:/var/lib/docker/overlay2/4f4d79d45949bc7cc9ee09ca6aa1db9bf8c7da3a857859100195ea715955de53/diff:/var/lib/docker/overlay2/212b920ad3878cf6f582168bca13c6def815e620cc64254e80fe0fad119f0720/diff:/var/lib/docker/overlay2/8bb9755bd3d477237db7e99ac174f205a299f55970ecd6df2c49e8621378ea0c/diff:/var/lib/docker/overlay2/b6014305b4d50b545754104a68ba9f8aabe50fa4b48bf70afaa36e67736ff457/diff:/var/lib/docker/overlay2/b3381832f83c75b07aea6c493a285d075fb1abeccfa5d166147ea81ba03af3d1/diff:/var/lib/docker/overlay2/c00e9fcda14696374b2577bcc754815774ae930dcce9f543c4186f470b8e4d9b/diff:/var/lib/docker/overlay2/fb7d0a755d02a6fd369e33d8add3d85371437f4ef77ce6e10714cf05dc2f3e3f/diff:/var/lib/docker/overlay2/399c0d8cdecf1ac0b27376c9ec968f80c82369f68dca0d67e0161bad24762df0/diff:/var/lib/docker/overlay2/83e39d2b127adad7a7d2b7fb8c42c9eb880b7c11737051960bc17bc1cd56450f/diff:/var/lib/docker/overlay2/8790e7c5e2d107031950adfc1ddfb593aa0c50c7cbad1eb3fe6de6c96f24c779/diff:/var/lib/docker/overlay2/8bc68334cb7f3524c71bbd5aac1dc81d560d0c11712b599bad96edc3d65baa40/diff:/var/lib/docker/overlay2/53e78cc8e5a101e2d7a76bac06f0930124763c36775aa43080213b7f58b24858/diff:/var/lib/docker/overlay2/91db38c4d340c431d21b1269d978e75c7b9fc0f4c7d85ab3fa36751fe0138f54/diff:/var/lib/docker/overlay2/7723f3b43aeec9fca0b8062f6b4e60cdd1fb52ee41724dbb39bc57341bc830ad/diff:/var/lib/docker/overlay2/45ad7c1ae20ad545ea847e77139e15e0f0216204f1bd06b4a2b49122a1dd518e/diff:/var/lib/docker/overlay2/c9b1940b7656dc54140578518d8b064c8179722cc0476873c2eb381fa87952e3/diff:/var/lib/docker/overlay2/f09512212430e532061b325d56dc2d9ed3e77de47482494774cf2c32119df5a7/diff:/var/lib/docker/overlay2/02d9f79a2bb9bdb1e3fc8bc61b7f709a059b91f49b9b3560cdd0a935d91f241a/diff:/var/lib/docker/overlay2/8b007bea038f5ecf89a7d98941c1956972ffa3efc6a2b2a01e993a12cfed94e9/diff:/var/lib/docker/overlay2/76319984f3e2ae9e92d8efa42757bbb2ee9de46fc187979156cc9bdea50b265b/diff:/var/lib/docker/overlay2/870abc3906c8466291d0851008d947d48e08671d98cb2258d6ebcbaa03713365/diff", + "MergedDir": "/var/lib/docker/overlay2/ddd22622ed36893a2cdd0c110a00b2da08cee514db41f9aa0175d2423d4f211a/merged", + "UpperDir": "/var/lib/docker/overlay2/ddd22622ed36893a2cdd0c110a00b2da08cee514db41f9aa0175d2423d4f211a/diff", + "WorkDir": "/var/lib/docker/overlay2/ddd22622ed36893a2cdd0c110a00b2da08cee514db41f9aa0175d2423d4f211a/work" + }, + "Name": "overlay2" + }, + "Mounts": [], + "Config": { + "Hostname": "e21c01796e4e", + "Domainname": "", + "User": "65532", + "AttachStdin": false, + "AttachStdout": false, + "AttachStderr": false, + "ExposedPorts": { + "3000/tcp": {} + }, + "Tty": false, + "OpenStdin": false, + "StdinOnce": false, + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Cmd": [ + "/juice-shop/build/app.js" + ], + "Image": "bkimminich/juice-shop:v19.0.0", + "Volumes": null, + "WorkingDir": "/juice-shop", + "Entrypoint": [ + "/nodejs/bin/node" + ], + "OnBuild": null, + "Labels": { + "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.created": "”2025-09-04T05:38:11Z”", + "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", + "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", + "org.opencontainers.image.licenses": "MIT", + "org.opencontainers.image.revision": "36870cb", + "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", + "org.opencontainers.image.title": "OWASP Juice Shop", + "org.opencontainers.image.url": "https://owasp-juice.shop", + "org.opencontainers.image.vendor": "Open Worldwide Application Security Project", + "org.opencontainers.image.version": "19.0.0" + } + }, + "NetworkSettings": { + "Bridge": "", + "SandboxID": "468f24f986b3ce4772b390ad004e72e8fe10ead1189ab49174be6ca4239b00fe", + "SandboxKey": "/var/run/docker/netns/468f24f986b3", + "Ports": { + "3000/tcp": [ + { + "HostIp": "0.0.0.0", + "HostPort": "3001" + } + ] + }, + "HairpinMode": false, + "LinkLocalIPv6Address": "", + "LinkLocalIPv6PrefixLen": 0, + "SecondaryIPAddresses": null, + "SecondaryIPv6Addresses": null, + "EndpointID": "df321c342107cf3d0d6dcbc043efbf79ae41c8f73106d930713d049735b2856a", + "Gateway": "172.17.0.1", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "IPAddress": "172.17.0.2", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "MacAddress": "2a:d3:b1:95:2b:7c", + "Networks": { + "bridge": { + "IPAMConfig": null, + "Links": null, + "Aliases": null, + "MacAddress": "2a:d3:b1:95:2b:7c", + "DriverOpts": null, + "GwPriority": 0, + "NetworkID": "aad57113146ed97d63e7dd9021cf045bf4b0d8fe9badc5f77df2ecb944007385", + "EndpointID": "df321c342107cf3d0d6dcbc043efbf79ae41c8f73106d930713d049735b2856a", + "Gateway": "172.17.0.1", + "IPAddress": "172.17.0.2", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "DNSNames": null + } + } + } + } +] +Container: juice-hardened +[ + { + "Id": "bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44", + "Created": "2026-03-26T04:53:27.617635607Z", + "Path": "/nodejs/bin/node", + "Args": [ + "/juice-shop/build/app.js" + ], + "State": { + "Status": "running", + "Running": true, + "Paused": false, + "Restarting": false, + "OOMKilled": false, + "Dead": false, + "Pid": 5149, + "ExitCode": 0, + "Error": "", + "StartedAt": "2026-03-26T04:53:27.674485664Z", + "FinishedAt": "0001-01-01T00:00:00Z" + }, + "Image": "sha256:37cc73163c4c269c044e890fee868d62637109cad126a26dab13dc442ef2ae76", + "ResolvConfPath": "/var/lib/docker/containers/bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44/resolv.conf", + "HostnamePath": "/var/lib/docker/containers/bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44/hostname", + "HostsPath": "/var/lib/docker/containers/bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44/hosts", + "LogPath": "/var/lib/docker/containers/bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44/bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44-json.log", + "Name": "/juice-hardened", + "RestartCount": 0, + "Driver": "overlay2", + "Platform": "linux", + "MountLabel": "", + "ProcessLabel": "", + "AppArmorProfile": "", + "ExecIDs": null, + "HostConfig": { + "Binds": null, + "ContainerIDFile": "", + "LogConfig": { + "Type": "json-file", + "Config": {} + }, + "NetworkMode": "bridge", + "PortBindings": { + "3000/tcp": [ + { + "HostIp": "", + "HostPort": "3002" + } + ] + }, + "RestartPolicy": { + "Name": "no", + "MaximumRetryCount": 0 + }, + "AutoRemove": false, + "VolumeDriver": "", + "VolumesFrom": null, + "ConsoleSize": [ + 0, + 0 + ], + "CapAdd": null, + "CapDrop": [ + "ALL" + ], + "CgroupnsMode": "host", + "Dns": [], + "DnsOptions": [], + "DnsSearch": [], + "ExtraHosts": null, + "GroupAdd": null, + "IpcMode": "private", + "Cgroup": "", + "Links": null, + "OomScoreAdj": 0, + "PidMode": "", + "Privileged": false, + "PublishAllPorts": false, + "ReadonlyRootfs": false, + "SecurityOpt": [ + "no-new-privileges" + ], + "UTSMode": "", + "UsernsMode": "", + "ShmSize": 67108864, + "Runtime": "runc", + "Isolation": "", + "CpuShares": 0, + "Memory": 536870912, + "NanoCpus": 1000000000, + "CgroupParent": "", + "BlkioWeight": 0, + "BlkioWeightDevice": [], + "BlkioDeviceReadBps": [], + "BlkioDeviceWriteBps": [], + "BlkioDeviceReadIOps": [], + "BlkioDeviceWriteIOps": [], + "CpuPeriod": 0, + "CpuQuota": 0, + "CpuRealtimePeriod": 0, + "CpuRealtimeRuntime": 0, + "CpusetCpus": "", + "CpusetMems": "", + "Devices": [], + "DeviceCgroupRules": null, + "DeviceRequests": null, + "MemoryReservation": 0, + "MemorySwap": 1073741824, + "MemorySwappiness": null, + "OomKillDisable": false, + "PidsLimit": null, + "Ulimits": [], + "CpuCount": 0, + "CpuPercent": 0, + "IOMaximumIOps": 0, + "IOMaximumBandwidth": 0, + "MaskedPaths": [ + "/proc/asound", + "/proc/acpi", + "/proc/interrupts", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + "/sys/devices/virtual/powercap" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "GraphDriver": { + "Data": { + "ID": "bab0b9fa63e5801f7b28b6a91219489b9bc35b9317deea793f883f4ae7be0b44", + "LowerDir": "/var/lib/docker/overlay2/eb770ce2e3aac5658ecce5c1788a72a48c1360e99bfb8afebb818a3caa48a86c-init/diff:/var/lib/docker/overlay2/4f4d79d45949bc7cc9ee09ca6aa1db9bf8c7da3a857859100195ea715955de53/diff:/var/lib/docker/overlay2/212b920ad3878cf6f582168bca13c6def815e620cc64254e80fe0fad119f0720/diff:/var/lib/docker/overlay2/8bb9755bd3d477237db7e99ac174f205a299f55970ecd6df2c49e8621378ea0c/diff:/var/lib/docker/overlay2/b6014305b4d50b545754104a68ba9f8aabe50fa4b48bf70afaa36e67736ff457/diff:/var/lib/docker/overlay2/b3381832f83c75b07aea6c493a285d075fb1abeccfa5d166147ea81ba03af3d1/diff:/var/lib/docker/overlay2/c00e9fcda14696374b2577bcc754815774ae930dcce9f543c4186f470b8e4d9b/diff:/var/lib/docker/overlay2/fb7d0a755d02a6fd369e33d8add3d85371437f4ef77ce6e10714cf05dc2f3e3f/diff:/var/lib/docker/overlay2/399c0d8cdecf1ac0b27376c9ec968f80c82369f68dca0d67e0161bad24762df0/diff:/var/lib/docker/overlay2/83e39d2b127adad7a7d2b7fb8c42c9eb880b7c11737051960bc17bc1cd56450f/diff:/var/lib/docker/overlay2/8790e7c5e2d107031950adfc1ddfb593aa0c50c7cbad1eb3fe6de6c96f24c779/diff:/var/lib/docker/overlay2/8bc68334cb7f3524c71bbd5aac1dc81d560d0c11712b599bad96edc3d65baa40/diff:/var/lib/docker/overlay2/53e78cc8e5a101e2d7a76bac06f0930124763c36775aa43080213b7f58b24858/diff:/var/lib/docker/overlay2/91db38c4d340c431d21b1269d978e75c7b9fc0f4c7d85ab3fa36751fe0138f54/diff:/var/lib/docker/overlay2/7723f3b43aeec9fca0b8062f6b4e60cdd1fb52ee41724dbb39bc57341bc830ad/diff:/var/lib/docker/overlay2/45ad7c1ae20ad545ea847e77139e15e0f0216204f1bd06b4a2b49122a1dd518e/diff:/var/lib/docker/overlay2/c9b1940b7656dc54140578518d8b064c8179722cc0476873c2eb381fa87952e3/diff:/var/lib/docker/overlay2/f09512212430e532061b325d56dc2d9ed3e77de47482494774cf2c32119df5a7/diff:/var/lib/docker/overlay2/02d9f79a2bb9bdb1e3fc8bc61b7f709a059b91f49b9b3560cdd0a935d91f241a/diff:/var/lib/docker/overlay2/8b007bea038f5ecf89a7d98941c1956972ffa3efc6a2b2a01e993a12cfed94e9/diff:/var/lib/docker/overlay2/76319984f3e2ae9e92d8efa42757bbb2ee9de46fc187979156cc9bdea50b265b/diff:/var/lib/docker/overlay2/870abc3906c8466291d0851008d947d48e08671d98cb2258d6ebcbaa03713365/diff", + "MergedDir": "/var/lib/docker/overlay2/eb770ce2e3aac5658ecce5c1788a72a48c1360e99bfb8afebb818a3caa48a86c/merged", + "UpperDir": "/var/lib/docker/overlay2/eb770ce2e3aac5658ecce5c1788a72a48c1360e99bfb8afebb818a3caa48a86c/diff", + "WorkDir": "/var/lib/docker/overlay2/eb770ce2e3aac5658ecce5c1788a72a48c1360e99bfb8afebb818a3caa48a86c/work" + }, + "Name": "overlay2" + }, + "Mounts": [], + "Config": { + "Hostname": "bab0b9fa63e5", + "Domainname": "", + "User": "65532", + "AttachStdin": false, + "AttachStdout": false, + "AttachStderr": false, + "ExposedPorts": { + "3000/tcp": {} + }, + "Tty": false, + "OpenStdin": false, + "StdinOnce": false, + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Cmd": [ + "/juice-shop/build/app.js" + ], + "Image": "bkimminich/juice-shop:v19.0.0", + "Volumes": null, + "WorkingDir": "/juice-shop", + "Entrypoint": [ + "/nodejs/bin/node" + ], + "OnBuild": null, + "Labels": { + "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.created": "”2025-09-04T05:38:11Z”", + "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", + "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", + "org.opencontainers.image.licenses": "MIT", + "org.opencontainers.image.revision": "36870cb", + "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", + "org.opencontainers.image.title": "OWASP Juice Shop", + "org.opencontainers.image.url": "https://owasp-juice.shop", + "org.opencontainers.image.vendor": "Open Worldwide Application Security Project", + "org.opencontainers.image.version": "19.0.0" + } + }, + "NetworkSettings": { + "Bridge": "", + "SandboxID": "06f21b7c50f943ac39dcc9b101390bb525365396df8afa5322b20e153fad919e", + "SandboxKey": "/var/run/docker/netns/06f21b7c50f9", + "Ports": { + "3000/tcp": [ + { + "HostIp": "0.0.0.0", + "HostPort": "3002" + } + ] + }, + "HairpinMode": false, + "LinkLocalIPv6Address": "", + "LinkLocalIPv6PrefixLen": 0, + "SecondaryIPAddresses": null, + "SecondaryIPv6Addresses": null, + "EndpointID": "2e04331e4f508b1f58c9b870ea3c7e2d998b11ff224bcf395127c5cd3b61f6e5", + "Gateway": "172.17.0.1", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "IPAddress": "172.17.0.3", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "MacAddress": "c6:4f:a7:f7:20:aa", + "Networks": { + "bridge": { + "IPAMConfig": null, + "Links": null, + "Aliases": null, + "MacAddress": "c6:4f:a7:f7:20:aa", + "DriverOpts": null, + "GwPriority": 0, + "NetworkID": "aad57113146ed97d63e7dd9021cf045bf4b0d8fe9badc5f77df2ecb944007385", + "EndpointID": "2e04331e4f508b1f58c9b870ea3c7e2d998b11ff224bcf395127c5cd3b61f6e5", + "Gateway": "172.17.0.1", + "IPAddress": "172.17.0.3", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "DNSNames": null + } + } + } + } +] +Container: juice-production +[ + { + "Id": "ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174", + "Created": "2026-03-26T04:54:04.31154124Z", + "Path": "/nodejs/bin/node", + "Args": [ + "/juice-shop/build/app.js" + ], + "State": { + "Status": "running", + "Running": true, + "Paused": false, + "Restarting": false, + "OOMKilled": false, + "Dead": false, + "Pid": 5209, + "ExitCode": 0, + "Error": "", + "StartedAt": "2026-03-26T04:54:04.366890973Z", + "FinishedAt": "0001-01-01T00:00:00Z" + }, + "Image": "sha256:37cc73163c4c269c044e890fee868d62637109cad126a26dab13dc442ef2ae76", + "ResolvConfPath": "/var/lib/docker/containers/ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174/resolv.conf", + "HostnamePath": "/var/lib/docker/containers/ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174/hostname", + "HostsPath": "/var/lib/docker/containers/ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174/hosts", + "LogPath": "/var/lib/docker/containers/ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174/ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174-json.log", + "Name": "/juice-production", + "RestartCount": 0, + "Driver": "overlay2", + "Platform": "linux", + "MountLabel": "", + "ProcessLabel": "", + "AppArmorProfile": "", + "ExecIDs": null, + "HostConfig": { + "Binds": null, + "ContainerIDFile": "", + "LogConfig": { + "Type": "json-file", + "Config": {} + }, + "NetworkMode": "bridge", + "PortBindings": { + "3000/tcp": [ + { + "HostIp": "", + "HostPort": "3003" + } + ] + }, + "RestartPolicy": { + "Name": "on-failure", + "MaximumRetryCount": 3 + }, + "AutoRemove": false, + "VolumeDriver": "", + "VolumesFrom": null, + "ConsoleSize": [ + 0, + 0 + ], + "CapAdd": [ + "CAP_NET_BIND_SERVICE" + ], + "CapDrop": [ + "ALL" + ], + "CgroupnsMode": "host", + "Dns": [], + "DnsOptions": [], + "DnsSearch": [], + "ExtraHosts": null, + "GroupAdd": null, + "IpcMode": "private", + "Cgroup": "", + "Links": null, + "OomScoreAdj": 0, + "PidMode": "", + "Privileged": false, + "PublishAllPorts": false, + "ReadonlyRootfs": false, + "SecurityOpt": [ + "no-new-privileges" + ], + "UTSMode": "", + "UsernsMode": "", + "ShmSize": 67108864, + "Runtime": "runc", + "Isolation": "", + "CpuShares": 0, + "Memory": 536870912, + "NanoCpus": 1000000000, + "CgroupParent": "", + "BlkioWeight": 0, + "BlkioWeightDevice": [], + "BlkioDeviceReadBps": [], + "BlkioDeviceWriteBps": [], + "BlkioDeviceReadIOps": [], + "BlkioDeviceWriteIOps": [], + "CpuPeriod": 0, + "CpuQuota": 0, + "CpuRealtimePeriod": 0, + "CpuRealtimeRuntime": 0, + "CpusetCpus": "", + "CpusetMems": "", + "Devices": [], + "DeviceCgroupRules": null, + "DeviceRequests": null, + "MemoryReservation": 0, + "MemorySwap": 536870912, + "MemorySwappiness": null, + "OomKillDisable": false, + "PidsLimit": 100, + "Ulimits": [], + "CpuCount": 0, + "CpuPercent": 0, + "IOMaximumIOps": 0, + "IOMaximumBandwidth": 0, + "MaskedPaths": [ + "/proc/asound", + "/proc/acpi", + "/proc/interrupts", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + "/sys/devices/virtual/powercap" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "GraphDriver": { + "Data": { + "ID": "ef5b252961aeea43cb31c347a8d24f8cbd8f5ad2f9309a3d45e0c64159944174", + "LowerDir": "/var/lib/docker/overlay2/beb4976a7f3f5c3ac1c51ae8131fa7c23407b19ac18f03a9eb215d1a43376b7a-init/diff:/var/lib/docker/overlay2/4f4d79d45949bc7cc9ee09ca6aa1db9bf8c7da3a857859100195ea715955de53/diff:/var/lib/docker/overlay2/212b920ad3878cf6f582168bca13c6def815e620cc64254e80fe0fad119f0720/diff:/var/lib/docker/overlay2/8bb9755bd3d477237db7e99ac174f205a299f55970ecd6df2c49e8621378ea0c/diff:/var/lib/docker/overlay2/b6014305b4d50b545754104a68ba9f8aabe50fa4b48bf70afaa36e67736ff457/diff:/var/lib/docker/overlay2/b3381832f83c75b07aea6c493a285d075fb1abeccfa5d166147ea81ba03af3d1/diff:/var/lib/docker/overlay2/c00e9fcda14696374b2577bcc754815774ae930dcce9f543c4186f470b8e4d9b/diff:/var/lib/docker/overlay2/fb7d0a755d02a6fd369e33d8add3d85371437f4ef77ce6e10714cf05dc2f3e3f/diff:/var/lib/docker/overlay2/399c0d8cdecf1ac0b27376c9ec968f80c82369f68dca0d67e0161bad24762df0/diff:/var/lib/docker/overlay2/83e39d2b127adad7a7d2b7fb8c42c9eb880b7c11737051960bc17bc1cd56450f/diff:/var/lib/docker/overlay2/8790e7c5e2d107031950adfc1ddfb593aa0c50c7cbad1eb3fe6de6c96f24c779/diff:/var/lib/docker/overlay2/8bc68334cb7f3524c71bbd5aac1dc81d560d0c11712b599bad96edc3d65baa40/diff:/var/lib/docker/overlay2/53e78cc8e5a101e2d7a76bac06f0930124763c36775aa43080213b7f58b24858/diff:/var/lib/docker/overlay2/91db38c4d340c431d21b1269d978e75c7b9fc0f4c7d85ab3fa36751fe0138f54/diff:/var/lib/docker/overlay2/7723f3b43aeec9fca0b8062f6b4e60cdd1fb52ee41724dbb39bc57341bc830ad/diff:/var/lib/docker/overlay2/45ad7c1ae20ad545ea847e77139e15e0f0216204f1bd06b4a2b49122a1dd518e/diff:/var/lib/docker/overlay2/c9b1940b7656dc54140578518d8b064c8179722cc0476873c2eb381fa87952e3/diff:/var/lib/docker/overlay2/f09512212430e532061b325d56dc2d9ed3e77de47482494774cf2c32119df5a7/diff:/var/lib/docker/overlay2/02d9f79a2bb9bdb1e3fc8bc61b7f709a059b91f49b9b3560cdd0a935d91f241a/diff:/var/lib/docker/overlay2/8b007bea038f5ecf89a7d98941c1956972ffa3efc6a2b2a01e993a12cfed94e9/diff:/var/lib/docker/overlay2/76319984f3e2ae9e92d8efa42757bbb2ee9de46fc187979156cc9bdea50b265b/diff:/var/lib/docker/overlay2/870abc3906c8466291d0851008d947d48e08671d98cb2258d6ebcbaa03713365/diff", + "MergedDir": "/var/lib/docker/overlay2/beb4976a7f3f5c3ac1c51ae8131fa7c23407b19ac18f03a9eb215d1a43376b7a/merged", + "UpperDir": "/var/lib/docker/overlay2/beb4976a7f3f5c3ac1c51ae8131fa7c23407b19ac18f03a9eb215d1a43376b7a/diff", + "WorkDir": "/var/lib/docker/overlay2/beb4976a7f3f5c3ac1c51ae8131fa7c23407b19ac18f03a9eb215d1a43376b7a/work" + }, + "Name": "overlay2" + }, + "Mounts": [], + "Config": { + "Hostname": "ef5b252961ae", + "Domainname": "", + "User": "65532", + "AttachStdin": false, + "AttachStdout": false, + "AttachStderr": false, + "ExposedPorts": { + "3000/tcp": {} + }, + "Tty": false, + "OpenStdin": false, + "StdinOnce": false, + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Cmd": [ + "/juice-shop/build/app.js" + ], + "Image": "bkimminich/juice-shop:v19.0.0", + "Volumes": null, + "WorkingDir": "/juice-shop", + "Entrypoint": [ + "/nodejs/bin/node" + ], + "OnBuild": null, + "Labels": { + "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.created": "”2025-09-04T05:38:11Z”", + "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", + "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", + "org.opencontainers.image.licenses": "MIT", + "org.opencontainers.image.revision": "36870cb", + "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", + "org.opencontainers.image.title": "OWASP Juice Shop", + "org.opencontainers.image.url": "https://owasp-juice.shop", + "org.opencontainers.image.vendor": "Open Worldwide Application Security Project", + "org.opencontainers.image.version": "19.0.0" + } + }, + "NetworkSettings": { + "Bridge": "", + "SandboxID": "a51d1ec219de5b0ff53711ba4c5979bdf5c718ec079629eea38fe5c077e7f7d7", + "SandboxKey": "/var/run/docker/netns/a51d1ec219de", + "Ports": { + "3000/tcp": [ + { + "HostIp": "0.0.0.0", + "HostPort": "3003" + } + ] + }, + "HairpinMode": false, + "LinkLocalIPv6Address": "", + "LinkLocalIPv6PrefixLen": 0, + "SecondaryIPAddresses": null, + "SecondaryIPv6Addresses": null, + "EndpointID": "649ca961bc066bc6e4318fcee11bb10cfebe0caf99c831e91d0d21295c454784", + "Gateway": "172.17.0.1", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "IPAddress": "172.17.0.4", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "MacAddress": "46:7c:e1:57:5c:06", + "Networks": { + "bridge": { + "IPAMConfig": null, + "Links": null, + "Aliases": null, + "MacAddress": "46:7c:e1:57:5c:06", + "DriverOpts": null, + "GwPriority": 0, + "NetworkID": "aad57113146ed97d63e7dd9021cf045bf4b0d8fe9badc5f77df2ecb944007385", + "EndpointID": "649ca961bc066bc6e4318fcee11bb10cfebe0caf99c831e91d0d21295c454784", + "Gateway": "172.17.0.1", + "IPAddress": "172.17.0.4", + "IPPrefixLen": 16, + "IPv6Gateway": "", + "GlobalIPv6Address": "", + "GlobalIPv6PrefixLen": 0, + "DNSNames": null + } + } + } + } +] diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..77bdeedd --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1,180 @@ +# ------------------------------------------------------------------------------ +# Docker Bench for Security v1.3.4 +# +# Docker, Inc. (c) 2015- +# +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker Community Edition Benchmark v1.1.0. +# ------------------------------------------------------------------------------ + +Initializing Thu Mar 26 04:51:57 UTC 2026 + + +[INFO] 1 - Host Configuration +[WARN] 1.1 - Ensure a separate partition for containers has been created +[NOTE] 1.2 - Ensure the container host has been Hardened +[PASS] 1.3 - Ensure Docker is up to date +[INFO] * Using 28.0.4 which is current +[INFO] * Check with your operating system vendor for support and security maintenance for Docker +[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon +[WARN] 1.5 - Ensure auditing is configured for the Docker daemon +[WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[INFO] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker +[INFO] * Directory not found +[INFO] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service +[INFO] * File not found +[INFO] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket +[INFO] * File not found +[INFO] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker +[INFO] * File not found +[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json +[INFO] * File not found +[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd +[INFO] * File not found +[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc +[INFO] * File not found + + +[INFO] 2 - Docker daemon configuration +[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +[PASS] 2.2 - Ensure the logging level is set to 'info' +[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables +[PASS] 2.4 - Ensure insecure registries are not used +[PASS] 2.5 - Ensure aufs storage driver is not used +[WARN] 2.6 - Ensure TLS authentication for Docker daemon is configured +[WARN] * Docker daemon currently listening on TCP without TLS +[INFO] 2.7 - Ensure the default ulimit is configured appropriately +[INFO] * Default ulimit doesn't appear to be set +[WARN] 2.8 - Enable user namespace support +[PASS] 2.9 - Ensure the default cgroup usage has been confirmed +[PASS] 2.10 - Ensure base device size is not changed until needed +[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[WARN] 2.12 - Ensure centralized and remote logging is configured +[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated) +[WARN] 2.14 - Ensure live restore is Enabled +[WARN] 2.15 - Ensure Userland Proxy is Disabled +[INFO] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed +[PASS] 2.17 - Ensure experimental features are avoided in production +[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges + + +[INFO] 3 - Docker daemon configuration files +[INFO] 3.1 - Ensure that docker.service file ownership is set to root:root +[INFO] * File not found +[INFO] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.3 - Ensure that docker.socket file ownership is set to root:root +[INFO] * File not found +[INFO] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.5 - Ensure that /etc/docker directory ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive +[INFO] * Directory not found +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive +[INFO] * Directory not found +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root +[INFO] * No TLS CA certificate found +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS CA certificate found +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root +[INFO] * No TLS Server certificate found +[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS Server certificate found +[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root +[INFO] * No TLS Key found +[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 +[INFO] * No TLS Key found +[WARN] 3.15 - Ensure that Docker socket file ownership is set to root:docker +[WARN] * Wrong ownership for /var/run/docker.sock +[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive +[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root +[INFO] * File not found +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root +[INFO] * File not found +[INFO] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive +[INFO] * File not found + + +[INFO] 4 - Container Images and Build File +[INFO] 4.1 - Ensure a user for the container has been created +[INFO] * No containers running +[NOTE] 4.2 - Ensure that containers use trusted base images +[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[WARN] 4.5 - Ensure Content trust for Docker is Enabled +[WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image +[WARN] * No Healthcheck found: [snyk/snyk:docker] +[WARN] * No Healthcheck found: [bridgecrew/checkov:latest] +[WARN] * No Healthcheck found: [nginx:latest] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:latest] +[WARN] * No Healthcheck found: [projectdiscovery/nuclei:latest] +[WARN] * No Healthcheck found: [checkmarx/kics:latest] +[WARN] * No Healthcheck found: [aquasec/trivy:latest] +[WARN] * No Healthcheck found: [semgrep/semgrep:latest] +[WARN] * No Healthcheck found: [trufflesecurity/trufflehog:latest] +[WARN] * No Healthcheck found: [anchore/grype:latest] +[WARN] * No Healthcheck found: [anchore/syft:latest] +[WARN] * No Healthcheck found: [ubuntu:latest] +[WARN] * No Healthcheck found: [devops-info-service:latest maksimmenshikh/devops-info-service:lab02] +[WARN] * No Healthcheck found: [devops-info-service:latest maksimmenshikh/devops-info-service:lab02] +[WARN] * No Healthcheck found: [secsi/sqlmap:latest] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:v19.0.0] +[WARN] * No Healthcheck found: [aquasec/tfsec:latest] +[WARN] * No Healthcheck found: [goodwithtech/dockle:latest] +[WARN] * No Healthcheck found: [busybox:latest] +[WARN] * No Healthcheck found: [tenable/terrascan:latest] +[WARN] * No Healthcheck found: [alpine/nikto:latest] +[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[INFO] * Update instruction found: [snyk/snyk:docker] +[INFO] * Update instruction found: [bridgecrew/checkov:latest] +[INFO] * Update instruction found: [checkmarx/kics:latest] +[INFO] * Update instruction found: [devops-info-service:latest maksimmenshikh/devops-info-service:lab02] +[INFO] * Update instruction found: [devops-info-service:latest maksimmenshikh/devops-info-service:lab02] +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images +[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile +[INFO] * ADD in image history: [snyk/snyk:docker] +[INFO] * ADD in image history: [projectdiscovery/nuclei:latest] +[INFO] * ADD in image history: [aquasec/trivy:latest] +[INFO] * ADD in image history: [semgrep/semgrep:latest] +[INFO] * ADD in image history: [trufflesecurity/trufflehog:latest] +[INFO] * ADD in image history: [ubuntu:latest] +[INFO] * ADD in image history: [secsi/sqlmap:latest] +[INFO] * ADD in image history: [aquasec/tfsec:latest] +[INFO] * ADD in image history: [goodwithtech/dockle:latest] +[INFO] * ADD in image history: [alpine/nikto:latest] +[INFO] * ADD in image history: [docker/docker-bench-security:latest] +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.11 - Ensure verified packages are only Installed + + +[INFO] 5 - Container Runtime +[INFO] * No containers running, skipping Section 5 + + +[INFO] 6 - Docker Security Operations +[INFO] 6.1 - Avoid image sprawl +[INFO] * There are currently: 23 images +[INFO] * Only 1 out of 23 are in use +[INFO] 6.2 - Avoid container sprawl +[INFO] * There are currently a total of 1 containers, with 1 of them currently running + + +[INFO] 7 - Docker Swarm Configuration +[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed +[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) +[PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled) +[PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network +[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled) +[PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled) +[PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) +[PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled) + +[INFO] Checks: 74 +[INFO] Score: 4 diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..0da4e22e --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,9 @@ +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..c9be7f62 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1106 @@ + + +## Overview + + │ Analyzed Image +────────────────────┼─────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 37cc73163c4c + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 11C 67H 32M 5L 13? + size │ 172 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 4C 0H 1M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + x CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + x CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + x CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + x CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + x MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 4H 1M 0L 6? node 22.18.0 +pkg:generic/node@22.18.0 + + x CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + x UNSPECIFIED BSA-2026-21717 + https://scout.docker.com/v/BSA-2026-21717?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + x UNSPECIFIED BSA-2026-21716 + https://scout.docker.com/v/BSA-2026-21716?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + x UNSPECIFIED BSA-2026-21715 + https://scout.docker.com/v/BSA-2026-21715?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + x UNSPECIFIED BSA-2026-21714 + https://scout.docker.com/v/BSA-2026-21714?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + x UNSPECIFIED BSA-2026-21713 + https://scout.docker.com/v/BSA-2026-21713?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + x UNSPECIFIED BSA-2026-21710 + https://scout.docker.com/v/BSA-2026-21710?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + + 1C 3H 1M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + x CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + x HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + x HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + x HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + x MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + x UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + x CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + x HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + x MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + x MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + x UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + x CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + x HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + x MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + x MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + x UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + x CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + x HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + x CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + x MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + x CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + x HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + x HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + x HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + x HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + x HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + x HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + x MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + + x HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + x HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + x HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + x HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + x HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + x HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + + x HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + x HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + x HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + x HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + x HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + x HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 4H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + x HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + + x HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + + x HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + + x HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + + x HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + + x HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + x HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + x HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + x UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + x HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + x HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + x UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + x HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + x MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + x MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + x MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + x MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + x MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + x UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + x UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + x HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + x MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + x HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + x MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L picomatch 2.3.1 +pkg:npm/picomatch@2.3.1 + + x HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + + x HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + x MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 1M 0L picomatch 4.0.3 +pkg:npm/picomatch@4.0.3 + + x HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + x MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + x HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + x HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + x HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + x HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + x HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + + x HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + + x HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + x HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + x HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + x HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + + x MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + x LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + + x MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + x MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + x MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + x MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + x MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + x MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + + x MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + + x MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + x MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + + x MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + + x LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + + x LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + + x LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + x LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + +128 vulnerabilities found in 50 packages + CRITICAL 11 + HIGH 67 + MEDIUM 32 + LOW 5 + UNSPECIFIED 13 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..a9c4cb0f --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,269 @@ + +Testing bkimminich/juice-shop:v19.0.0... + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2025-69421 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.18-1~deb12u2 + +------------ Detected 7 vulnerabilities for node@22.18.0 ------------ + + +✗ High severity vulnerability found in node + Description: UNIX Symbolic Link (Symlink) Following + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-15763402 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.2 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-15763406 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.2 + +✗ Critical severity vulnerability found in node + Description: Race Condition + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +Organization: mmenshikh +Package manager: deb +Project name: docker-image|bkimminich/juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Platform: linux/amd64 +Target OS: Distroless +Licenses: enabled + +Tested 10 dependencies for known issues, found 8 issues. + +------------------------------------------------------- + +Testing bkimminich/juice-shop:v19.0.0... + +Tested 975 dependencies for known issues, found 47 issues. + + +Issues to fix by upgrading: + + Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix + ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s) + + Upgrade express@4.21.2 to express@4.22.0 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + + Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix + ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3 + introduced by express-jwt@0.1.3 + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0 + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade glob@10.4.5 to glob@12.0.0 to fix + ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5 + introduced by glob@10.4.5 and 1 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5 + introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix + ✗ Uncontrolled Recursion (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Resource after Effective Lifetime (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Incomplete Cleanup (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + + Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix + ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0 + introduced by pdfkit@0.11.0 > crypto-js@3.3.0 + + Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix + ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + + Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix + ✗ SQL Injection (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7 + introduced by sequelize@6.37.7 + + Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6 + introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2 + introduced by socket.io@3.1.2 + ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2 + introduced by socket.io@3.1.2 > engine.io@4.1.2 + + Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + + Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + +Issues with no direct upgrade or patch: + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2 + introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2 + No upgrade or patch available + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11 + introduced by marsdb@0.6.11 + No upgrade or patch available + ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15 + introduced by sequelize@6.37.7 > validator@13.15.15 + This issue was fixed in versions: 13.15.22 + ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.2 + ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.9.18 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + + + +Organization: mmenshikh +Package manager: npm +Target file: /juice-shop/package.json +Project name: juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Licenses: enabled + + +Tested 2 projects, 2 contained vulnerable paths. + + + + + ERROR Forbidden (SNYK-CLI-0000) + The encountered error only provides basic information, please take a look at + the given details. If they do not help to resolve the issue, consider + debugging or consulting support. + + Forbidden + +Status: 403 Forbidden +Docs: https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0000 + +ID: urn:snyk:interaction:9acf8420-9127-4690-b161-137044abd495 diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..168ae3f1 --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,166 @@ +# Lab 7 --- Container Security: Image Scanning & Deployment Hardening + +## Task 1 --- Image Vulnerability & Configuration Analysis + +### Top 5 Critical/High Vulnerabilities + +1. CVE-2025-69421 (openssl/libssl3) --- High\ + Impact: Cryptographic vulnerability that may allow data compromise + or MITM attacks. + +2. SNYK-UPSTREAM-NODE-14928492 (node) --- Critical\ + Impact: Race condition leading to unpredictable execution or + security bypass. + +3. SNYK-JS-MARSDB-480405 (marsdb) --- Critical\ + Impact: Arbitrary code execution. + +4. SNYK-JS-VM2-5772823 (vm2) --- Critical\ + Impact: Remote Code Execution (RCE). + +5. SNYK-JS-SEQUELIZE-15456219 (sequelize) --- High\ + Impact: SQL Injection vulnerability. + +------------------------------------------------------------------------ + +### Dockle Configuration Findings + +No FATAL or WARN issues detected. + +However, INFO findings: - Missing HEALTHCHECK → container health cannot +be monitored - Content trust disabled → images may be unverified - +Unnecessary files (.DS_Store) → increases attack surface + +------------------------------------------------------------------------ + +### Security Posture Assessment + +- The image likely runs as root (no USER specified) +- Large number of vulnerabilities (128 total) + +Recommendations: - Use non-root user - Update dependencies - Add +HEALTHCHECK - Enable Docker Content Trust - Remove unnecessary files + +------------------------------------------------------------------------ + +## Task 2 --- Docker Host Security Benchmarking + +### Summary Statistics + +- PASS: \~20+ +- WARN: \~15+ +- FAIL: 0 +- INFO: many + +------------------------------------------------------------------------ + +### Analysis of Failures + +No explicit FAIL, but many WARN issues: + +1. No TLS for Docker daemon\ + Impact: Remote unauthorized access\ + Fix: Enable TLS authentication + +2. No user namespaces\ + Impact: Privilege escalation\ + Fix: Enable userns-remap + +3. No auditing\ + Impact: No traceability\ + Fix: Configure auditd + +4. Docker socket wrong ownership\ + Impact: Root access via socket\ + Fix: Restrict permissions + +5. No resource/security restrictions\ + Impact: Containers can abuse host\ + Fix: Apply limits and policies + +------------------------------------------------------------------------ + +## Task 3 — Deployment Security Configuration Analysis + +### Configuration Comparison Table + + +| Profile | Capabilities | Security Options | Memory | CPU | PIDs | Restart | +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | +| **Default** | Default | None | No | No | No | No | +| **Hardened** | Drop ALL | no-new-privileges | 512MB | 1 | No | No | +| **Production** | Drop ALL + NET_BIND | no-new-privileges + seccomp | 512MB | 1 | 100 | on-failure | + + +------------------------------------------------------------------------ + +### Security Measure Analysis + +#### a) Capabilities + +Linux capabilities = fine-grained root privileges. + +Dropping ALL: - prevents privilege escalation - blocks dangerous +syscalls + +NET_BIND_SERVICE: - allows binding to low ports + +Trade-off: - security vs functionality + +------------------------------------------------------------------------ + +#### b) no-new-privileges + +Prevents gaining new privileges via setuid. + +Prevents: - privilege escalation attacks + +Downside: - may break some apps + +------------------------------------------------------------------------ + +#### c) Resource limits + +Without limits: - DoS possible + +Prevents: - memory exhaustion attacks + +Risk: - app crashes if limits too low + +------------------------------------------------------------------------ + +#### d) PID limit + +Fork bomb = infinite process creation. + +PID limit: - prevents system exhaustion + +Choosing value: - based on app needs + +------------------------------------------------------------------------ + +#### e) Restart policy + +on-failure: restart 3 times + +Useful: - improves reliability + +Risk: - restart loops + +Difference: - always = infinite restart + +------------------------------------------------------------------------ + +### Critical Thinking + +Development: - Default (easy debugging) + +Production: - Production profile (secure) + +Resource limits solve: - DoS attacks and resource abuse + +Attack difference: - Production blocks privilege escalation, limits +damage + +Additional hardening: - run as non-root - read-only filesystem - network +isolation - secrets management