Skip to content

Vulnerabilitiies in code-server #2964

New issue
New issue
Closed
#3041
Closed
Vulnerabilitiies in code-server#2964
#3041
Assignees
jsjoeio
Labels
dependenciesPull requests that update a dependency file
Milestone
 
v3.9.3
@PatrickDerichs

Description

@PatrickDerichs
PatrickDerichs
opened on Mar 25, 2021

OS/Web Information

  • Web Browser: Chrome
  • Local OS: Ubuntu 20.04
  • Remote OS: Ubuntu 20.04
  • Remote Architecture: 64-bit
  • code-server --version:

Steps to Reproduce

  1. Build an image with the latest code-server
  2. Run Trivy with said image

Expected

No vulnerabilities found

Actual

Trivy finds the following vulnerabilities:

 usr/lib/code-server/lib/vscode/yarn.lock
 ========================================
 Total: 3 (HIGH: 3, CRITICAL: 0)
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | is-svg  | CVE-2021-28092   | HIGH     | 3.0.0             | 4.2.2         | nodejs-is-svg: ReDoS                  |
 |         |                  |          |                   |               | via malicious string                  |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28092 |
 +---------+------------------+          +-------------------+---------------+---------------------------------------+
 | ssri    | CVE-2021-27290   |          | 6.0.1             | 8.0.1         | nodejs-ssri: Regular                  |
 |         |                  |          |                   |               | expression DoS when parsing           |
 |         |                  |          |                   |               | malicious SRI in strict mode          |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27290 |
 +         +                  +          +-------------------+               +                                       +
 |         |                  |          | 8.0.0             |               |                                       |
 |         |                  |          |                   |               |                                       |
 |         |                  |          |                   |               |                                       |
 |         |                  |          |                   |               |                                       |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 usr/lib/code-server/yarn.lock
 =============================
 Total: 1 (HIGH: 1, CRITICAL: 0)
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | is-svg  | CVE-2021-28092   | HIGH     | 3.0.0             | 4.2.2         | nodejs-is-svg: ReDoS                  |
 |         |                  |          |                   |               | via malicious string                  |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28092 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+

Notes

This issue can be reproduced in VS Code: No

Metadata

Metadata

Assignees

Labels

dependenciesPull requests that update a dependency file

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions