Skip to content

code-server 3.9.3 vulnerabilities #3185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Jose-Matsuda opened this issue Apr 21, 2021 · 3 comments · Fixed by #3187
Closed

code-server 3.9.3 vulnerabilities #3185

Jose-Matsuda opened this issue Apr 21, 2021 · 3 comments · Fixed by #3187
Labels
dependencies Pull requests that update a dependency file security Security related
Milestone
v3.10.0

Comments

@Jose-Matsuda
Copy link

Hi there,

I think this is #2860 but for a different package.
My team uses code-server in docker images and before pushing it to our repo we run a trivy scan and get the hit (below)

Written by John Gilmore and Jay Fenlason.
trivy
Scanning for vulnerabilties...
╔══════════════════════╤═════════════════╤═════════════════╤════════════════════════════════════════════════════╤══════════════════════╗
║ VULNERABILITY ID     │ PACKAGE NAME    │ SEVERITY        │ DESCRIPTION                                        │ TARGET               ║
╟──────────────────────┼─────────────────┼─────────────────┼────────────────────────────────────────────────────┼──────────────────────╢
║ CVE-2021-28918       │ netmask         │ CRITICAL        │ Improper input validation of octal strings in      │ usr/lib/code-server/ ║
║                      │                 │                 │ netmask npm package v1.0.6 and below allows        │ lib/vscode/yarn.lock ║
║                      │                 │                 │ unauthenticated remote attackers to perform        │                      ║
║                      │                 │                 │ indeterminate SSRF, RFI, and LFI attacks on many   │                      ║
║                      │                 │                 │ of the dependent packages. A remote                │                      ║
║                      │                 │                 │ unauthenticated attacker can bypass packages       │                      ║
║                      │                 │                 │ relying on netmask to filter IPs and reach         │                      ║
║                      │                 │                 │ critical VPN or LAN hosts.                         │                      ║
╟──────────────────────┼─────────────────┼─────────────────┼────────────────────────────────────────────────────┼──────────────────────╢
║ CVE-2021-28918       │ netmask         │ CRITICAL        │ Improper input validation of octal strings in      │ usr/lib/code-server/ ║
║                      │                 │                 │ netmask npm package v1.0.6 and below allows        │ yarn.lock            ║
║                      │                 │                 │ unauthenticated remote attackers to perform        │                      ║
║                      │                 │                 │ indeterminate SSRF, RFI, and LFI attacks on many   │                      ║
║                      │                 │                 │ of the dependent packages. A remote                │                      ║
║                      │                 │                 │ unauthenticated attacker can bypass packages       │                      ║
║                      │                 │                 │ relying on netmask to filter IPs and reach         │                      ║
║                      │                 │                 │ critical VPN or LAN hosts.                         │                      ║
╚══════════════════════╧═════════════════╧═════════════════╧════════════════════════════════════════════════════╧══════════════════════╝

GHSA-4c7m-wxvm-r7gc

OS/Web Information

  • Web Browser: Chrome
  • Local OS: Ubuntu
  • Remote OS: Ubuntu
  • Remote Architecture: Docker image
  • code-server --version: 3.9.3

This issue can be reproduced in VS Code: No

Thanks
@Jose-Matsuda Jose-Matsuda mentioned this issue Apr 21, 2021
Closed
@jsjoeio jsjoeio added security Security related dependencies Pull requests that update a dependency file labels Apr 21, 2021
@jsjoeio jsjoeio added this to the v3.9.4 milestone Apr 21, 2021
@jsjoeio
Copy link
Contributor

jsjoeio commented Apr 21, 2021

Thanks for opening this issue! @jawnsy just opened an issue to run these scans more periodically:

We'll take care of this before the next release

@oxy
Copy link

oxy commented Apr 21, 2021

I had a quick look at why netmask is installed; chain is proxy-agent -> pac-proxy-agent -> pac-resolver -> netmask

netmask is only used by isInNet in pac-resolver, which isn't used elsewhere in pac-resolver or anywhere else in the dependency chain. We're updating it, but current release does not pose any security risk, as netmask is just dead code.

Will still push a fix!

@oxy oxy mentioned this issue Apr 21, 2021
Merged
@jsjoeio jsjoeio linked a pull request Apr 22, 2021 that will close this issue
chore(lib/vscode): update netmask #3187
Merged
@jsjoeio
Copy link
Contributor

jsjoeio commented Apr 22, 2021

Closing via #3187

@jsjoeio jsjoeio closed this as completed Apr 22, 2021
@JessicaBarh JessicaBarh mentioned this issue May 4, 2021
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Security related
Projects
None yet
Milestone
v3.10.0
Development

Successfully merging a pull request may close this issue.

chore(lib/vscode): update netmask coder/code-server
3 participants
@jsjoeio @oxy @Jose-Matsuda