Skip to content

code-server 3.9.1 uses nodejs packages with vulnerabilities #2860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
PatrickDerichs opened this issue Mar 11, 2021 · 3 comments · Fixed by #2861
Closed

code-server 3.9.1 uses nodejs packages with vulnerabilities #2860

PatrickDerichs opened this issue Mar 11, 2021 · 3 comments · Fixed by #2861
Labels
security Security related
Milestone
v3.9.2

Comments

@PatrickDerichs
Copy link

We use code-server in docker images with reverse proxy and when you scan the image afterwards with trivy, we get a couple of hits in vulnerabilities:

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| tar     | CVE-2018-20834   | HIGH     | 2.2.1             | 4.4.2, 2.2.2  | nodejs-tar: Arbitrary file            |
|         |                  |          |                   |               | overwrites when extracting            |
|         |                  |          |                   |               | tarballs containing a hard-link       |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20834 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/lib/code-server/yarn.lock
=============================
Total: 2 (HIGH: 2, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ini        | CVE-2020-7788    | HIGH     | 1.3.5             | 1.3.6         | nodejs-ini: prototype pollution      |
|            |                  |          |                   |               | via malicious INI file               |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7788 |
+------------+------------------+          +-------------------+---------------+--------------------------------------+
| node-forge | CVE-2020-7720    |          | 0.7.6             | 0.10.0        | nodejs-node-forge:                   |
|            |                  |          |                   |               | prototype pollution via              |
|            |                  |          |                   |               | the util.setPath function            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7720 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+

These seem to be part of the yarn.locks/package.jsons from the code-server base. I have tried to patch said packages by using resolutions in the package.jsons, but updating these packages seem to break code-server as it won't load vscode properly anymore.

  • Web Browser: Chrome
  • Local OS: Ubuntu
  • Remote OS: Ubuntu
  • Remote Architecture: Docker image
  • code-server --version: 3.9.1 e0203f2
@oxy
Copy link

oxy commented Mar 11, 2021

Hey, so for each of those packages, looking at yarn.lock

I think I can update tar in the vscode yarn.lock, and ini in the code-server one, but node-forge is pulled in by parcel-bundler, which hasn't seen an update in over a year.

I'll see what I can do in the next hour.

@oxy
Copy link

oxy commented Mar 11, 2021

Hey, so I meant to open a PR and everything but I fricked up and ended up committing directly to main...

da65b8e
Oops.

@oxy oxy added the security Security related label Mar 11, 2021
@oxy oxy mentioned this issue Mar 11, 2021
Merged
@jsjoeio jsjoeio added this to the v3.9.2 milestone Mar 11, 2021
@PatrickDerichs
Copy link
Author

Thanks for solving it so quickly though!

@oxy oxy closed this as completed in #2861 Mar 11, 2021
This was referenced Apr 21, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security related
Projects
None yet
Milestone
v3.9.2
Development

Successfully merging a pull request may close this issue.

chore: update vulnerable dependencies coder/code-server
3 participants
@PatrickDerichs @jsjoeio @oxy