Various vulnerabilities

[AdrienFromToulouse]

Describe the bug

Hi there,

multiple CVEs with fix are available:

CVE-2024-43800
CVE-2024-43796
CVE-2024-43799
CVE-2024-45296

Would you mind upgrading the docker image? 🙏

Cheers,

Steps to reproduce the bug

No response

Expected behavior

No response

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

v1.4.6

Subscription type

Pro

Hosting type

Self-hosted

SDK information (language and version)

No response

[AdrienFromToulouse]

Just noticed that #195 is in fact also addressing part of the CVE above.

[chriswk]

Hi @AdrienFromToulouse - we've merged the PR bumping express to 4.21 and openapi to upstream from wesleytodd, from the CVE, it now looks like we're using a new enough version. I'll cut a patch release of the proxy

[chriswk]

1.4.7 is now out, updated to upstream openapi and express 4.21, which from my quick check using yarn why on the dependencies marked in the CVE's mentioned here are all patched. Can you confirm, and preferably close this issue?

[AdrienFromToulouse]

1.4.7 is now out, updated to upstream openapi and express 4.21, which from my quick check using yarn why on the dependencies marked in the CVE's mentioned here are all patched. Can you confirm, and preferably close this issue?

@chriswk thank you so much for your help! will deploy asap.

[AdrienFromToulouse]

I think those are the only CVE left:

• GHSA-qw6h-vgh9-j6wx
• GHSA-9wv6-86v2-598j

[chriswk]

That's odd, GHSA-qw6h-vgh9-j6wx says < 4.20, and we just upgraded express to 4.21
for the path-to-regexp vuln I've made #198 to deal with it

[AdrienFromToulouse]

CVE-2024-43796

Agreed it is strange, however it still appears on their repo too, so I guess there might be something missing on their end: GHSA-qw6h-vgh9-j6wx

this issue is patched in express 4.20.0

We run the latest docker image though... Will triple check on my end.

[AdrienFromToulouse]

That's very strange, the image looks indeed all good according to docker scout (docker scout cves unleashorg/unleash-proxy:v1.4.7), however google cloud vulnerability detectors still detect express as not being patched.... Forget about it, I guess Express is just fine, GCP may "wrongly" detect the express version based on the /security/advisories/ of their repo that is not closed.

## Overview

                    │                                    Analyzed Image                                      
────────────────────┼────────────────────────────────────────────────────────────────────────────────────────
  Target            │  unleashorg/unleash-proxy:v1.4.7                                                       
    digest          │  6854aad248e0                                                                          
    platform        │ linux/arm64                                                                            
    provenance      │ https://github.com/Unleash/unleash-proxy.git#bee96e0cca64406c469d691225db8db11f260bf9  
                    │  https://github.com/Unleash/unleash-proxy/blob/bee96e0cca64406c469d691225db8db11f260bf9                                              
    vulnerabilities │    0C     1H     0M     0L                                                             
    size            │ 67 MB                                                                                  
    packages        │ 228                                                                                    
                    │                                                                                        
  Base image        │  node:20-alpine                                                                        
                    │  2d07db07a2df                                                                          


## Packages and Vulnerabilities

   0C     1H     0M     0L  path-to-regexp 0.1.7
pkg:npm/[email protected]

https://github.com/Unleash/unleash-proxy/blob/bee96e0cca64406c469d691225db8db11f260bf9/Dockerfile#L33-L33
RUN chown -R node:node /unleash-proxy

    ✗ HIGH CVE-2024-45296 [Inefficient Regular Expression Complexity]
      https://scout.docker.com/v/CVE-2024-45296?s=github&n=path-to-regexp&t=npm&vr=%3C0.1.10
      Affected range : <0.1.10                                       
      Fixed version  : 0.1.10                                        
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    


1 vulnerability found in 1 package
  LOW       0  
  MEDIUM    0  
  HIGH      1  
  CRITICAL  0  

[AdrienFromToulouse]

@chriswk sorry we may have to add that new one into the mix too:
GHSA-pxg6-pf52-xh8x

It is a low severity one.

[chriswk]

Hi @AdrienFromToulouse #199 is made to setup resolution to the just released 1.0.0 of cookie. I'll get it merged and a new version released.

[AdrienFromToulouse]

Hi @AdrienFromToulouse #199 is made to setup resolution to the just released 1.0.0 of cookie. I'll get it merged and a new version released.

Awesome 🚀 , if one day I stop by Oslo, I will offer you a coffee per release versions you did on that issue.

[chriswk]

Hehe. No need. This is in our interest as well. If you're in Oslo I'll buy you a alcoholic/non-alcoholic drink of your choice for your patience and complete bug reports. :)

[chriswk]

1.4.8 is released and getting pushed as we speak. I've made Unleash/helm-charts#169 to make sure our helm chart is also up to date. Closing this issue now. Feel free to create new issues if you start having problems again.