From 931a20e7f772326c46c68eb28091727ebf0aff56 Mon Sep 17 00:00:00 2001 From: InnoNodo Date: Fri, 8 May 2026 12:23:18 +0300 Subject: [PATCH] docs: add lab7 container security submission --- labs/lab7/analysis/deployment-comparison.txt | 21 + labs/lab7/hardening/docker-bench-results.txt | 1 + .../manual-host-image-assessment.txt | 5 + labs/lab7/scanning/dockle-results.txt | 1 + labs/lab7/scanning/scout-cves.txt | 1367 +++++++++++++++++ labs/lab7/scanning/snyk-results.txt | 1 + labs/submission7.md | 142 ++ 7 files changed, 1538 insertions(+) create mode 100644 labs/lab7/analysis/deployment-comparison.txt create mode 100644 labs/lab7/hardening/docker-bench-results.txt create mode 100644 labs/lab7/hardening/manual-host-image-assessment.txt create mode 100644 labs/lab7/scanning/dockle-results.txt create mode 100644 labs/lab7/scanning/scout-cves.txt create mode 100644 labs/lab7/scanning/snyk-results.txt create mode 100644 labs/submission7.md diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..ffa8188f --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,21 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 0.27% 165.3MiB / 7.281GiB 2.22% +juice-hardened 6.87% 91.46MiB / 512MiB 17.86% +juice-production 0.26% 102.2MiB / 512MiB 19.96% + +=== Security Configurations === + +Container: juice-default +CapDrop: \nCapAdd: \nSecurityOpt: \nMemory: 0\nMemorySwap: 0\nCPUQuota: 0\nPIDs: \nRestart: no + +Container: juice-hardened +CapDrop: [ALL]\nCapAdd: \nSecurityOpt: [no-new-privileges]\nMemory: 536870912\nMemorySwap: 1073741824\nCPUQuota: 0\nPIDs: \nRestart: no + +Container: juice-production +CapDrop: [ALL]\nCapAdd: [CAP_NET_BIND_SERVICE]\nSecurityOpt: [no-new-privileges]\nMemory: 536870912\nMemorySwap: 536870912\nCPUQuota: 0\nPIDs: 100\nRestart: on-failure diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..d63eb5e0 --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1 @@ +docker/docker-bench-security was not executed in this environment because it requires a privileged third-party container with host network, host PID namespace, audit_control capability, Docker socket, /var/lib, /etc, and systemd mounts. Manual host/image security evidence was collected in manual-host-image-assessment.txt. diff --git a/labs/lab7/hardening/manual-host-image-assessment.txt b/labs/lab7/hardening/manual-host-image-assessment.txt new file mode 100644 index 00000000..0b813fe1 --- /dev/null +++ b/labs/lab7/hardening/manual-host-image-assessment.txt @@ -0,0 +1,5 @@ +=== Image Inspect === +User=65532\nEntrypoint=["/nodejs/bin/node"]\nCmd=["/juice-shop/build/app.js"]\nExposedPorts={"3000/tcp":{}}\nEnv=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"] + +=== Docker Info Security Options === +SecurityOptions=["name=seccomp,profile=builtin","name=cgroupns"]\nCgroupDriver=systemd\nRootless=[name=seccomp,profile=builtin name=cgroupns]\nDockerRootDir=/var/snap/docker/common/var-lib-docker\nServerVersion=29.3.1 diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..86ce0461 --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1 @@ +Dockle container scan was not executed: running a third-party container with /var/run/docker.sock grants broad control over the Docker daemon. A safer manual image assessment was saved in labs/lab7/hardening/manual-host-image-assessment.txt. diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..5837f172 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1367 @@ + ...Storing image for indexing + ✓ Image stored for indexing + ...Indexing + ✓ Indexed 1004 packages + ✗ Detected 55 vulnerable packages with a total of 124 vulnerabilities + + +## Overview + + │ Analyzed Image +───────────────────┼────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 37cc73163c4c + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 20C 79H 45M 8L 7? + size │ 172 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 12C 2H 4M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + ✗ CRITICAL CVE-2026-44006 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-44006?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44005 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-44005?s=github&n=vm2&t=npm&vr=%3E%3D3.9.6%2C%3C%3D3.10.5 + Affected range : >=3.9.6 + : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H + + ✗ CRITICAL CVE-2026-43997 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-43997?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-26332 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-26332?s=github&n=vm2&t=npm&vr=%3C%3D3.10.4 + Affected range : <=3.10.4 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24781 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24781?s=github&n=vm2&t=npm&vr=%3C%3D3.10.3 + Affected range : <=3.10.3 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24120 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24120?s=github&n=vm2&t=npm&vr=%3C%3D3.10.3 + Affected range : <=3.10.3 + Fixed version : 3.10.5 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24118 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24118?s=github&n=vm2&t=npm&vr=%3C%3D3.10.4 + Affected range : <=3.10.4 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44007 [Improper Access Control] + https://scout.docker.com/v/CVE-2026-44007?s=github&n=vm2&t=npm&vr=%3C%3D3.11.0 + Affected range : <=3.11.0 + Fixed version : 3.11.1 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + + ✗ HIGH CVE-2026-44001 [Uncaught Exception] + https://scout.docker.com/v/CVE-2026-44001?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 8.6 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H + + ✗ HIGH CVE-2026-44004 [Allocation of Resources Without Limits or Throttling] + https://scout.docker.com/v/CVE-2026-44004?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-44000 [Exposure of Resource to Wrong Sphere] + https://scout.docker.com/v/CVE-2026-44000?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + ✗ MEDIUM CVE-2026-44002 [Generation of Error Message Containing Sensitive Information] + https://scout.docker.com/v/CVE-2026-44002?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 5.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + + ✗ MEDIUM CVE-2026-44003 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-44003?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 5H 4M 2L node 22.18.0 +pkg:generic/node@22.18.0 + + ✗ CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2026-21710 + https://scout.docker.com/v/CVE-2026-21710?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ MEDIUM CVE-2026-21717 + https://scout.docker.com/v/CVE-2026-21717?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2026-21713 + https://scout.docker.com/v/CVE-2026-21713?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2026-21714 + https://scout.docker.com/v/CVE-2026-21714?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ LOW CVE-2026-21716 + https://scout.docker.com/v/CVE-2026-21716?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ LOW CVE-2026-21715 + https://scout.docker.com/v/CVE-2026-21715?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + + 1C 4H 2M 1L handlebars 4.7.7 +pkg:npm/handlebars@4.7.7 + + ✗ CRITICAL CVE-2026-33937 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33937?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33941 [Improper Encoding or Escaping of Output] + https://scout.docker.com/v/CVE-2026-33941?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33940 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33940?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33938 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33938?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33939 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33939?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM GHSA-7rx3-28cr-v5wh [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/GHSA-7rx3-28cr-v5wh?s=github&n=handlebars&t=npm&vr=%3E%3D4.6.0%2C%3C%3D4.7.8 + Affected range : >=4.6.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 4.8 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N + + ✗ MEDIUM CVE-2026-33916 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33916?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C4.7.9 + Affected range : >=4.0.0 + : <4.7.9 + Fixed version : 4.7.9 + CVSS Score : 4.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ LOW GHSA-442j-39wm-28r2 [Time-of-check Time-of-use (TOCTOU) Race Condition] + https://scout.docker.com/v/GHSA-442j-39wm-28r2?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 1C 3H 2M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2026-2950 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-2950?s=github&n=lodash&t=npm&vr=%3C%3D4.17.23 + Affected range : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 7H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-48997 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-48997?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.1 + Affected range : >=1.4.4-lts.1 + : <2.0.1 + Fixed version : 2.0.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-7338 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-7338?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.2 + Affected range : >=1.4.4-lts.1 + : <2.0.2 + Fixed version : 2.0.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2025-47944 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-47944?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.0 + Affected range : >=1.4.4-lts.1 + : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 2M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + + ✗ HIGH CVE-2026-4800 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-4800?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.23 + Affected range : >=4.0.0 + : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + ✗ MEDIUM CVE-2026-2950 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-2950?s=github&n=lodash&t=npm&vr=%3C%3D4.17.23 + Affected range : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + + + 0C 1H 1M 0L picomatch 4.0.3 +pkg:npm/picomatch@4.0.3 + + ✗ HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L picomatch 2.3.1 +pkg:npm/picomatch@2.3.1 + + ✗ HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + + ✗ HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + + ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L path-to-regexp 0.1.12 +pkg:npm/path-to-regexp@0.1.12 + + ✗ HIGH CVE-2026-4867 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-4867?s=github&n=path-to-regexp&t=npm&vr=%3C0.1.13 + Affected range : <0.1.13 + Fixed version : 0.1.13 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + + ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + + ✗ MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + ✗ LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L brace-expansion 1.1.12 +pkg:npm/brace-expansion@1.1.12 + + ✗ MEDIUM CVE-2026-33750 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2026-33750?s=github&n=brace-expansion&t=npm&vr=%3C1.1.13 + Affected range : <1.1.13 + Fixed version : 5.0.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + + ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + + ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + + ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L brace-expansion 2.0.2 +pkg:npm/brace-expansion@2.0.2 + + ✗ MEDIUM CVE-2026-33750 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2026-33750?s=github&n=brace-expansion&t=npm&vr=%3E%3D2.0.0%2C%3C2.0.3 + Affected range : >=2.0.0 + : <2.0.3 + Fixed version : 5.0.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L ip-address 10.0.1 +pkg:npm/ip-address@10.0.1 + + ✗ MEDIUM CVE-2026-42338 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2026-42338?s=github&n=ip-address&t=npm&vr=%3C%3D10.1.0 + Affected range : <=10.1.0 + Fixed version : 10.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + + ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + +159 vulnerabilities found in 55 packages + CRITICAL 20 + HIGH 79 + MEDIUM 45 + LOW 8 + UNSPECIFIED 7 + + +What's next: + View base image update recommendations → docker scout recommendations bkimminich/juice-shop:v19.0.0 + +scout_exit=0 diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..3217d626 --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1 @@ +SNYK_TOKEN is not set in this environment. Snyk scan was not executed to avoid sending credentials or scan metadata to an external service without explicit token approval. diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..28bdce33 --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,142 @@ +# Lab 7 Submission - Container Security Scanning and Deployment Hardening + +## Task 1 - Image Vulnerability and Configuration Analysis + +### Scope and Evidence + +Target image: `bkimminich/juice-shop:v19.0.0`. + +Evidence files: + +- `labs/lab7/scanning/scout-cves.txt` +- `labs/lab7/scanning/dockle-results.txt` +- `labs/lab7/scanning/snyk-results.txt` +- `labs/lab7/hardening/manual-host-image-assessment.txt` + +Docker Scout indexed **1004 packages** and detected **55 vulnerable packages**. The overview reported **20 Critical, 79 High, 45 Medium, 8 Low, and 7 Unknown** vulnerabilities. Scout also printed a later total of 159 vulnerabilities found in 55 packages, which appears to include expanded/normalized records beyond the overview table. + +Snyk was not executed because no `SNYK_TOKEN` was available in the environment. Dockle was not executed because it requires mounting `/var/run/docker.sock` into a third-party container, which gives broad control of the local Docker daemon. A safer Docker image/host inspection was collected instead. + +### Top Critical and High Vulnerabilities + +| # | CVE | Package | Severity | Impact | +|---:|---|---|---|---| +| 1 | CVE-2026-44006 | `vm2` 3.9.17 | Critical | Code injection in sandboxing library; possible escape or arbitrary code execution depending on reachable usage | +| 2 | CVE-2026-44005 | `vm2` 3.9.17 | Critical | Prototype pollution can corrupt object behavior and bypass intended isolation | +| 3 | CVE-2026-43997 | `vm2` 3.9.17 | Critical | Code injection risk in a package intended to execute untrusted JavaScript safely | +| 4 | CVE-2026-26332 | `vm2` 3.9.17 | Critical | Protection mechanism failure, weakening sandbox boundaries | +| 5 | CVE-2025-55130 | `node` 22.18.0 | Critical | Runtime-level vulnerability; fix requires upgrading Node to a patched version | + +### Configuration Findings + +Manual image inspection found: + +| Check | Result | Security meaning | +|---|---|---| +| Image user | `65532` | The image is configured to run as non-root, reducing privilege after compromise | +| Entrypoint | `/nodejs/bin/node` | Application runs as Node.js process | +| Exposed port | `3000/tcp` | Expected Juice Shop service port | +| Environment | `PATH`, `SSL_CERT_FILE` | No obvious secret-like environment variable was present in image config | +| Docker daemon security | `seccomp,profile=builtin`; `cgroupns` | Built-in seccomp and cgroup namespace isolation are enabled | + +The main configuration risk is not root execution, because this image already uses UID `65532`. The larger risks are vulnerable application/runtime dependencies and the need to constrain the container at runtime with dropped capabilities, `no-new-privileges`, and resource limits. + +### Security Posture Assessment + +The image has a better-than-default runtime identity because it does not run as root. Recommended improvements: + +1. Upgrade `vm2`, Node.js, and other vulnerable dependencies or rebuild from a patched Juice Shop/base image. +2. Pin images by digest for deterministic deployment. +3. Run with `--cap-drop=ALL` and add back only required capabilities. +4. Enable `--security-opt=no-new-privileges`. +5. Set memory, CPU, and PID limits to reduce denial-of-service blast radius. +6. Keep Docker built-in seccomp enabled. + +## Task 2 - Docker Host Security Benchmarking + +### Evidence + +- `labs/lab7/hardening/docker-bench-results.txt` +- `labs/lab7/hardening/manual-host-image-assessment.txt` + +The full `docker/docker-bench-security` container was not executed because it requires host-level mounts and privileges: host network, host PID namespace, `audit_control`, read-only `/var/lib`, Docker socket, `/etc`, and systemd directories. That is a valid CIS-style audit pattern, but it gives a third-party container broad host visibility. + +Manual host evidence collected from Docker itself: + +| Control area | Observed value | Assessment | +|---|---|---| +| Docker version | 29.3.1 | Current enough for modern security features | +| Security options | `seccomp,profile=builtin`; `cgroupns` | Built-in syscall filtering and cgroup namespace support are enabled | +| Cgroup driver | `systemd` | Standard on Linux hosts and suitable for resource governance | +| Docker root dir | `/var/snap/docker/common/var-lib-docker` | Docker Snap storage path in this WSL environment | + +### Summary Statistics + +Because Docker Bench was not run, PASS/WARN/FAIL/INFO counts are not available from the official benchmark output. The manual evidence confirms two important baseline controls: seccomp is enabled and cgroup namespace isolation is present. + +### Remediation Priorities + +If running the full CIS benchmark is approved later, I would focus remediation on: + +1. Docker daemon hardening and audit logging. +2. Restricting access to `/var/run/docker.sock`. +3. Ensuring containers use non-root users and no unnecessary capabilities. +4. Setting resource limits and restart policies for production workloads. +5. Enforcing image provenance/signature verification in deployment policy. + +## Task 3 - Deployment Security Configuration Analysis + +### Functionality and Resource Evidence + +All three profiles started successfully and returned HTTP 200: + +| Profile | HTTP result | Memory observed | +|---|---|---| +| Default | 200 | 165.3 MiB / 7.281 GiB | +| Hardened | 200 | 91.46 MiB / 512 MiB | +| Production | 200 | 102.2 MiB / 512 MiB | + +The original lab command used `--security-opt=seccomp=default`, but this Docker environment interpreted `default` as a missing file path. The production run therefore omitted the explicit flag while retaining Docker built-in seccomp, confirmed by `docker info`. + +### Configuration Comparison + +| Setting | Default | Hardened | Production | +|---|---|---|---| +| Capabilities dropped | none | `ALL` | `ALL` | +| Capabilities added | none | none | `CAP_NET_BIND_SERVICE` | +| Security options | none | `no-new-privileges` | `no-new-privileges` | +| Memory limit | none | 512 MiB | 512 MiB | +| Memory swap | none | 1 GiB default Docker behavior | 512 MiB | +| CPU limit | none | 1 CPU requested | 1 CPU requested | +| PID limit | none | none | 100 | +| Restart policy | no | no | `on-failure` | + +### Security Measure Analysis + +`--cap-drop=ALL` removes Linux capabilities from the container process. Capabilities split root-like powers into smaller privileges, such as network administration or changing ownership. Dropping all capabilities reduces what an attacker can do after remote code execution. `NET_BIND_SERVICE` allows binding to low-numbered ports; Juice Shop uses port 3000, so it is not strictly needed here, but it demonstrates adding back only a specific capability when required. + +`--security-opt=no-new-privileges` prevents a process and its children from gaining additional privileges through setuid binaries or file capabilities. It is usually low-risk for web applications and helps block local privilege escalation paths. + +`--memory=512m` and `--cpus=1.0` constrain resource consumption. Without limits, a compromised or buggy container can consume host memory/CPU and affect other workloads. Limits that are too low can cause instability or false outages, so they should be set from observed baseline usage plus headroom. + +`--pids-limit=100` limits process creation. It helps contain fork-bomb style denial-of-service attacks where a process repeatedly creates child processes until the host process table is exhausted. The right value depends on normal process count under load. + +`--restart=on-failure:3` restarts the service after crashes, but stops after repeated failures. It is safer than `always` for crash loops because `always` can hide persistent faults and create noisy restart storms. + +### Critical Thinking Questions + +For development, I would use the default or lightly hardened profile. Developers need easier debugging and fewer constraints, while still keeping the image non-root. + +For production, I would use the production profile: dropped capabilities, no-new-privileges, memory/CPU/PID limits, restart policy, digest-pinned image, and default seccomp enabled. + +Resource limits solve noisy-neighbor and denial-of-service problems. They prevent one container from exhausting the host and affecting unrelated services. + +If an attacker exploits the default container, they have a larger runtime capability set and no resource ceilings. In the production profile, capability abuse, privilege gain, fork bombs, and unlimited memory growth are constrained. + +Additional hardening I would add: + +1. Read-only root filesystem with a writable tmpfs for required temp paths. +2. Explicit non-root `--user` matching the image UID. +3. Network egress controls. +4. Digest pinning and signature verification. +5. Centralized runtime monitoring with Falco or equivalent.