Skip to content

Vulnerabilitiies in code-server #2964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
PatrickDerichs opened this issue Mar 25, 2021 · 2 comments · Fixed by #3041
Closed

Vulnerabilitiies in code-server #2964

PatrickDerichs opened this issue Mar 25, 2021 · 2 comments · Fixed by #3041
Assignees
@jsjoeio
Labels
dependencies Pull requests that update a dependency file
Milestone
v3.9.3

Comments

@PatrickDerichs
Copy link

OS/Web Information

  • Web Browser: Chrome
  • Local OS: Ubuntu 20.04
  • Remote OS: Ubuntu 20.04
  • Remote Architecture: 64-bit
  • code-server --version:

Steps to Reproduce

  1. Build an image with the latest code-server
  2. Run Trivy with said image

Expected

No vulnerabilities found

Actual

Trivy finds the following vulnerabilities:

 usr/lib/code-server/lib/vscode/yarn.lock
 ========================================
 Total: 3 (HIGH: 3, CRITICAL: 0)
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | is-svg  | CVE-2021-28092   | HIGH     | 3.0.0             | 4.2.2         | nodejs-is-svg: ReDoS                  |
 |         |                  |          |                   |               | via malicious string                  |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28092 |
 +---------+------------------+          +-------------------+---------------+---------------------------------------+
 | ssri    | CVE-2021-27290   |          | 6.0.1             | 8.0.1         | nodejs-ssri: Regular                  |
 |         |                  |          |                   |               | expression DoS when parsing           |
 |         |                  |          |                   |               | malicious SRI in strict mode          |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27290 |
 +         +                  +          +-------------------+               +                                       +
 |         |                  |          | 8.0.0             |               |                                       |
 |         |                  |          |                   |               |                                       |
 |         |                  |          |                   |               |                                       |
 |         |                  |          |                   |               |                                       |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 usr/lib/code-server/yarn.lock
 =============================
 Total: 1 (HIGH: 1, CRITICAL: 0)
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+
 | is-svg  | CVE-2021-28092   | HIGH     | 3.0.0             | 4.2.2         | nodejs-is-svg: ReDoS                  |
 |         |                  |          |                   |               | via malicious string                  |
 |         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28092 |
 +---------+------------------+----------+-------------------+---------------+---------------------------------------+

Notes

This issue can be reproduced in VS Code: No
@jsjoeio jsjoeio added the dependencies Pull requests that update a dependency file label Mar 25, 2021
@jsjoeio jsjoeio modified the milestones: On Deck, v3.9.3 Mar 25, 2021
@jsjoeio
Copy link
Contributor

jsjoeio commented Mar 25, 2021

Thanks for opening this issue @PatrickDerichs and for providing repro steps! We'll fix these vulnerabilities!

@jsjoeio jsjoeio self-assigned this Apr 5, 2021
@jsjoeio jsjoeio mentioned this issue Apr 5, 2021
Merged
2 tasks
@jsjoeio
Copy link
Contributor

jsjoeio commented Apr 5, 2021

Note: I didn't fix the vulnerabilities in lib/vscode. Those would be upstream. Hopefully as we update VS Code with each release, those get fixed upstream.

@jsjoeio jsjoeio mentioned this issue Apr 5, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsjoeio jsjoeio

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
v3.9.3
Development

Successfully merging a pull request may close this issue.

fix(deps): update and fix vulnerabilities coder/code-server
2 participants
@PatrickDerichs @jsjoeio