From aed4260c77803618fbd27072cb967304f0a5fcb0 Mon Sep 17 00:00:00 2001 From: Ivan Smirnov Date: Mon, 9 Feb 2026 09:52:42 +0300 Subject: [PATCH 1/4] docs: added PR template --- .github/pull_request_template.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..b65a6540 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,9 @@ +# Goal +Submitting my homework for lab# + +# Changes +- Added submissionXX.md + +# Checklist +- [x] Task 1 done +- [x] Task 2 done \ No newline at end of file From abd24ce589867b4d1ea8d09d7493a229bc3f2d68 Mon Sep 17 00:00:00 2001 From: Ivan Smirnov Date: Tue, 12 May 2026 17:44:30 +0300 Subject: [PATCH 2/4] docs: pull sync for updated lab materials --- labs/lab5/sqlmap/localhost/log | 8 ++++++++ labs/lab5/sqlmap/localhost/session.sqlite | Bin 0 -> 8192 bytes labs/lab5/sqlmap/localhost/target.txt | 3 +++ 3 files changed, 11 insertions(+) create mode 100644 labs/lab5/sqlmap/localhost/log create mode 100644 labs/lab5/sqlmap/localhost/session.sqlite create mode 100644 labs/lab5/sqlmap/localhost/target.txt diff --git a/labs/lab5/sqlmap/localhost/log b/labs/lab5/sqlmap/localhost/log new file mode 100644 index 00000000..4cabc56c --- /dev/null +++ b/labs/lab5/sqlmap/localhost/log @@ -0,0 +1,8 @@ +sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests: +--- +Parameter: #1* (URI) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: http://localhost:3000/rest/products/search?q=') AND 6254=6254 AND ('jcto' LIKE 'jcto +--- +back-end DBMS: SQLite diff --git a/labs/lab5/sqlmap/localhost/session.sqlite b/labs/lab5/sqlmap/localhost/session.sqlite new file mode 100644 index 0000000000000000000000000000000000000000..bc78069a77adf47c841020d13805f64f6cfb4884 GIT binary patch literal 8192 zcmeHLU5p!774{~fc2u!OLQqhIWbsl!hLerlG1d*zABcUp!oIC3Y z0+qrWFEiTR*?aE!e9!s5@62dds#n{CR%UB&yKfFM`NRhjQ&WlCGMPjov2OAWxA2;R zpBpB>;~QT8w`*PEGt%eZ4_Q;`!wL9`ub6?DftZ1qftZ1qftZ1qftZ1qftZ1qftZ1q zf%j%Wn!4_WO`E2^Fff~5Yi`inZaUFzT}ecwj50DwRZ(WLm-$57&TxW^7$j!4h+K^n z^-KlnpU#X-Z`jJnNRvN_|2E&0ypY(qn!YaezT|4UKYcX4JAE?!k?CjB2d7V`k56CT zxRkylbxZ2Q>2uSsrEW}KNPj9_OMfo?+4NuDyWn^?W*}xDW*}xDW*}zZ|HQz?Cr`X{ za{s<_kN<3a;-gad-~QxRe{yo=;=Q-uYphRvNZvkdCGY&!*|!g!d3K450*9_F{`$}h z$NzY661e_}eRtn=`HL?+ciZ~J#~hNktvWfpWANCir}jSm`}_Bu+K^cEAw1h;ymr+W zMwZ_g8VsG)HL+kZjY?e;vzG6*MaG-8$$mhVe9Ee$o=SE|lB7C@8uXj0mo+p#AU%hH zAlYJg-_98`R$b7kIs{k&K9A2@b#bz$1JmaNtFGu22EcwZPX(0c(0FO7{hZmQ1B!4; zcn!4#CE6*6ds-iGUi7*1x+-{9y|0t=u*=djmWHY-sl$TmG;_fmoEwy{VFkbvYgop0 zt(?2nsuv>cHo$JNH6lPIS1;kZfd`xA`+8S_{*Wkp4u@+nb4o$axt^XI1gPigVbgSx zvRQF#sys4PA*&I^e$)4|rb^G5n&25MlH07(t~$5gdegxlo!Ec)@w+bnd3~aV$%o{& zt$K4d;|(?9=8Bb5vZXE}H4Ra&hDwbtDr4Y|?3ccF=7-1beC+BkHYC1|p&%#qAGMRz z!ZrhHG1cPmntl@2j|2T0n4|e7L(f8QWtFVqwbJN#0Yy7J?$cuEv91!H%_w86RmgFv z7F4>3iSRb-%>$m5=0R%*KrA&jRHNTw5vP(NUEPX?_=zS9wrcpM<_0Ctaq$@(qBn~r zvd0qxsop4{1|dqCWH~bOs-i@8Rf4DFjwmZM?sc$s1|xv3$^x8Q1B!$Snxmw7w^~xc zPoZvw5!Ac@+5)Dy<}pTeZH5jIU`>@9>bc_BkP02}mK*j^@BfQ_K)+bgA-^+6nH1_f z8j>sYnm<9NY?Dy}ns%`3NL)9^@FVb>r>ipq-KQ4}weILX%!XfgsuHD1NRdQ|8d+_M zt1AXCcPvNG1+ER=utcak^e^SM)L^8mVnBN?7Kk)in7?vwRLwy=2VP=|3wF7;P%D%3 z)jaQ6`TEFW`H{gYvo>2BfpuKV7kXRrsK}2yPFP!69}9B5D9mz%P@;g(x>G6H+w{CR z;>T1?Y7A&@vbIEfGFx^JW*Ta9tE93v*R~I5FvYPYdU_ex8)`>2rAC1f6`qzm0u6eY zDrvzc_%cTf47HH8!~q^i@CLF}@@Bl3HB2;da4eL!*oQiGRA_pKu_+n=>{l4x6kOR8V0uH)7vr z0?-rnp{@wu0grEkb@+&}^7#2u=vor+iTS5R&|Y&5DpGY{q;GrGMkYN5kZv(~H0S%@5xB`Hj(=>VaJ+Uc0pN#Hk&V zKx+S&@7ulf`qjU|tLp~Z^yXTr@2FbuW2@)hJowbv#hnpo`O%jiSzg(B<;`m;-+OT9TW{}J z`qfXPl%+j8kA45#>4!fUrKEN}`N} Date: Tue, 12 May 2026 18:52:43 +0300 Subject: [PATCH 3/4] docs: add lab7 submission - container security analysis --- labs/submission7.md | 72 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 labs/submission7.md diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..a79c9e66 --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,72 @@ +# Task 1 + +## Top 5 Critical/High Vulnerabilities +|CVE ID| Affected package| Severity| Impact| +|-|-|-|-| +|CVE-2026-44006| vm2 3.9.17| Critical, CVSS 10.0| Code injection may allow severe sandbox compromise and arbitrary code execution| +|CVE-2026-44005| vm2 3.9.17| Critical, CVSS 10.0| Prototype pollution can corrupt application state and enable follow-on exploitation| +|CVE-2026-43997| vm2 3.9.17| Critical, CVSS 10.0| Code injection creates a high-risk path to full runtime compromise| +|CVE-2026-44009| vm2 3.9.17| Critical, CVSS 9.8 |Resource exposure may break isolation boundaries and expose sensitive execution context| +|CVE-2026-44008| vm2 3.9.17| Critical, CVSS 9.8 |Resource exposure can undermine containment and significantly increase compromise impact| + +## Dockle +... didn't find any FATAL or WARN: +```shell +Status: Downloaded newer image for goodwithtech/dockle:latest +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store +``` + +## Security Posture Assessment +- Run as root? seemingly no, instead used some user 65532 +- Upgrade vm2 3.9.17 because it has multiple possibly patched CVEs +- Update components + +# Task 2 +For some reason, provided command didn't work for my installation... +```shell +docker: invalid reference format +``` + +# Task 3 + +## Configuration Comparison Table +| Profile | Functionality | Capabilities | Security options | Memory | CPU | PIDs | Restart | +|---|---:|---|---|---:|---:|---:|---| +| Default | HTTP 200 | Docker default | Docker default | Unlimited | Unlimited | Unlimited | no | +| Hardened | HTTP 200 | Drop ALL | no-new-privileges | 512 MiB | 1 CPU | Unlimited | no | +| Production | HTTP 200 | Drop ALL, add NET_BIND_SERVICE | no-new-privileges | 512 MiB | 1 CPU | 100 | on-failure | + +## Security Measure Analysis + +### `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE` +Linux capabilities are small privilege blocks; dropping them limits what a compromised container can do. +``NET_BIND_SERVICE`` adds back only permission to bind low ports, so security stays tighter than Docker defaults. + +### ``--security-opt=no-new-privileges`` +Prevents processes from gaining extra privileges after startup. + +### ``--memory=512m`` and ``--cpus=1.0`` +Limits memory usage to 512M and CPU usage to 1 + +### ``--pids-limit=100`` +Anti-fork-bomb limit to only 100 subprocesses + +### ``--restart=on-failure:3`` +Restart the container on crash, but only up to 3 times + + +## 3. Critical Thinking Questions + +- Development: Use the Default profile because it is easiest for debugging and has fewer restrictions. +- Production: Use the Production profile because it applies least privilege, resource limits, PID limits, and controlled restart behavior. +- Resource limits: They prevent one container from exhausting host resources and degrading other services. +- Default vs Production: Production blocks extra Linux capabilities, privilege escalation, excessive memory use, excessive process creation, and unlimited restart loops. +- Additional hardening: Add a read-only root filesystem, explicit non-root user validation, image signing, dependency patching, and stricter network exposure. From 3587ca58e7f1786b1f2f3f8d1000c7adbd88579f Mon Sep 17 00:00:00 2001 From: Ivan Smirnov Date: Tue, 12 May 2026 18:54:36 +0300 Subject: [PATCH 4/4] docs: add lab7 submission - container security analysis --- labs/lab7/analysis/deployment-comparison.txt | 36 + labs/lab7/hardening/docker-bench-results.txt | 1 + labs/lab7/scanning/dockle-results.txt | 9 + labs/lab7/scanning/scout-cves.txt | 1546 ++++++++++++++++++ labs/lab7/scanning/snyk-results.txt | 362 ++++ 5 files changed, 1954 insertions(+) create mode 100644 labs/lab7/analysis/deployment-comparison.txt create mode 100644 labs/lab7/hardening/docker-bench-results.txt create mode 100644 labs/lab7/scanning/dockle-results.txt create mode 100644 labs/lab7/scanning/scout-cves.txt create mode 100644 labs/lab7/scanning/snyk-results.txt diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..fa838b92 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,36 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 0.15% 101.5MiB / 31.21GiB 0.32% +juice-hardened 0.15% 92.14MiB / 512MiB 18.00% +juice-production 0.13% 93.31MiB / 512MiB 18.23% + +=== Security Configurations === + +Container: juice-default +CapDrop: +SecurityOpt: +Memory: 0 +CPU: 0 +PIDs: +Restart: no + +Container: juice-hardened +CapDrop: [ALL] +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: +Restart: no + +Container: juice-production +CapDrop: [ALL] +SecurityOpt: [no-new-privileges] +Memory: 536870912 +CPU: 0 +PIDs: 100 +Restart: on-failure diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..15b48611 --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1 @@ +Error connecting to docker daemon (does docker ps work?) diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..0da4e22e --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,9 @@ +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..ab1ff0e5 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,1546 @@ + + +## Overview + + │ Analyzed Image +───────────────────┼────────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 2765a26de764 + platform │ linux/amd64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7 + vulnerabilities │ 22C 79H 46M 8L 7? + size │ 158 MB + packages │ 1004 + │ + Base image │ gcr.io/distroless/nodejs22-debian12:latest + │ c82186149af6 + + +## Packages and Vulnerabilities + + 14C 2H 5M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2026-44006 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-44006?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44005 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-44005?s=github&n=vm2&t=npm&vr=%3E%3D3.9.6%2C%3C%3D3.10.5 + Affected range : >=3.9.6 + : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H + + ✗ CRITICAL CVE-2026-43997 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-43997?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 10.0 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44009 [Exposure of Resource to Wrong Sphere] + https://scout.docker.com/v/CVE-2026-44009?s=github&n=vm2&t=npm&vr=%3C3.11.2 + Affected range : <3.11.2 + Fixed version : 3.11.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44008 [Exposure of Resource to Wrong Sphere] + https://scout.docker.com/v/CVE-2026-44008?s=github&n=vm2&t=npm&vr=%3C%3D3.11.1 + Affected range : <=3.11.1 + Fixed version : 3.11.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-26332 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-26332?s=github&n=vm2&t=npm&vr=%3C%3D3.10.4 + Affected range : <=3.10.4 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24781 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24781?s=github&n=vm2&t=npm&vr=%3C%3D3.10.3 + Affected range : <=3.10.3 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24120 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24120?s=github&n=vm2&t=npm&vr=%3C%3D3.10.3 + Affected range : <=3.10.3 + Fixed version : 3.10.5 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-24118 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-24118?s=github&n=vm2&t=npm&vr=%3C%3D3.10.4 + Affected range : <=3.10.4 + Fixed version : 3.11.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1 + Affected range : <=3.10.1 + Fixed version : 3.10.2 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : 3.10.0 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2026-44007 [Improper Access Control] + https://scout.docker.com/v/CVE-2026-44007?s=github&n=vm2&t=npm&vr=%3C%3D3.11.0 + Affected range : <=3.11.0 + Fixed version : 3.11.1 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + + ✗ HIGH CVE-2026-44001 [Uncaught Exception] + https://scout.docker.com/v/CVE-2026-44001?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 8.6 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H + + ✗ HIGH CVE-2026-44004 [Allocation of Resources Without Limits or Throttling] + https://scout.docker.com/v/CVE-2026-44004?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-44000 [Exposure of Resource to Wrong Sphere] + https://scout.docker.com/v/CVE-2026-44000?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + ✗ MEDIUM CVE-2026-44002 [Generation of Error Message Containing Sensitive Information] + https://scout.docker.com/v/CVE-2026-44002?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 5.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + + ✗ MEDIUM GHSA-2cm2-m3w5-gp2f [Protection Mechanism Failure] + https://scout.docker.com/v/GHSA-2cm2-m3w5-gp2f?s=github&n=vm2&t=npm&vr=%3C3.11.2 + Affected range : <3.11.2 + Fixed version : 3.11.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2026-44003 [Protection Mechanism Failure] + https://scout.docker.com/v/CVE-2026-44003?s=github&n=vm2&t=npm&vr=%3C%3D3.10.5 + Affected range : <=3.10.5 + Fixed version : 3.11.0 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 5H 4M 2L node 22.18.0 +pkg:generic/node@22.18.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L22-L22 +FROM gcr.io/distroless/nodejs22-debian12 + + ✗ CRITICAL CVE-2025-55130 + https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2026-21710 + https://scout.docker.com/v/CVE-2026-21710?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ HIGH CVE-2026-21637 + https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59466 + https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-59465 + https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ HIGH CVE-2025-55131 + https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ MEDIUM CVE-2026-21717 + https://scout.docker.com/v/CVE-2026-21717?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2026-21713 + https://scout.docker.com/v/CVE-2026-21713?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2026-21714 + https://scout.docker.com/v/CVE-2026-21714?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ MEDIUM CVE-2025-55132 + https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0 + Affected range : >=22.0.0 + : <22.22.0 + Fixed version : 22.22.0 + + ✗ LOW CVE-2026-21716 + https://scout.docker.com/v/CVE-2026-21716?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + ✗ LOW CVE-2026-21715 + https://scout.docker.com/v/CVE-2026-21715?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.2 + Affected range : >=22.0.0 + : <22.22.2 + Fixed version : 22.22.2 + + + 1C 4H 2M 1L handlebars 4.7.7 +pkg:npm/handlebars@4.7.7 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2026-33937 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33937?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33941 [Improper Encoding or Escaping of Output] + https://scout.docker.com/v/CVE-2026-33941?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33940 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33940?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33938 [Access of Resource Using Incompatible Type ('Type Confusion')] + https://scout.docker.com/v/CVE-2026-33938?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2026-33939 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33939?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM GHSA-7rx3-28cr-v5wh [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/GHSA-7rx3-28cr-v5wh?s=github&n=handlebars&t=npm&vr=%3E%3D4.6.0%2C%3C%3D4.7.8 + Affected range : >=4.6.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 4.8 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N + + ✗ MEDIUM CVE-2026-33916 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33916?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C4.7.9 + Affected range : >=4.0.0 + : <4.7.9 + Fixed version : 4.7.9 + CVSS Score : 4.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ LOW GHSA-442j-39wm-28r2 [Time-of-check Time-of-use (TOCTOU) Race Condition] + https://scout.docker.com/v/GHSA-442j-39wm-28r2?s=github&n=handlebars&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.7.8 + Affected range : >=4.0.0 + : <=4.7.8 + Fixed version : 4.7.9 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 1C 3H 2M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2026-2950 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-2950?s=github&n=lodash&t=npm&vr=%3C%3D4.17.23 + Affected range : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 7H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion] + https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1 + Affected range : <2.1.1 + Fixed version : 2.1.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-3304 [Incomplete Cleanup] + https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime] + https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0 + Affected range : <2.1.0 + Fixed version : 2.1.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-48997 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-48997?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.1 + Affected range : >=1.4.4-lts.1 + : <2.0.1 + Fixed version : 2.0.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2025-7338 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-7338?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.2 + Affected range : >=1.4.4-lts.1 + : <2.0.2 + Fixed version : 2.0.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2025-47944 [Uncaught Exception] + https://scout.docker.com/v/CVE-2025-47944?s=github&n=multer&t=npm&vr=%3E%3D1.4.4-lts.1%2C%3C2.0.0 + Affected range : >=1.4.4-lts.1 + : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 6H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 6H 0M 0L tar 6.2.1 +pkg:npm/tar@6.2.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 6H 0M 0L tar 7.4.3 +pkg:npm/tar@7.4.3 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding] + https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3 + Affected range : <=7.5.3 + Fixed version : 7.5.4 + CVSS Score : 8.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L + + ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10 + Affected range : <=7.5.10 + Fixed version : 7.5.11 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N + + ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9 + Affected range : <=7.5.9 + Fixed version : 7.5.10 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L + + ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7 + Affected range : <7.5.7 + Fixed version : 7.5.7 + CVSS Score : 8.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N + + ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2 + Affected range : <=7.5.2 + Fixed version : 7.5.3 + CVSS Score : 8.2 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N + + ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8 + Affected range : <7.5.8 + Fixed version : 7.5.8 + CVSS Score : 7.1 + CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N + + + 0C 3H 0M 0L minimatch 3.0.8 +pkg:npm/minimatch@3.0.8 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.0.5 +pkg:npm/minimatch@3.0.5 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 3.1.2 +pkg:npm/minimatch@3.1.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4 + Affected range : <3.1.4 + Fixed version : 3.1.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3 + Affected range : <3.1.3 + Fixed version : 3.1.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 9.0.5 +pkg:npm/minimatch@9.0.5 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6 + Affected range : >=9.0.0 + : <9.0.6 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7 + Affected range : >=9.0.0 + : <9.0.7 + Fixed version : 9.0.7 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 3H 0M 0L minimatch 5.1.6 +pkg:npm/minimatch@5.1.6 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7 + Affected range : >=5.0.0 + : <5.1.7 + Fixed version : 10.2.1 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity] + https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8 + Affected range : >=5.0.0 + : <5.1.8 + Fixed version : 5.1.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 2H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature] + https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3 + Affected range : <3.2.3 + Fixed version : 3.2.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 2M 0L lodash 4.17.21 +pkg:npm/lodash@4.17.21 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-4800 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2026-4800?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.23 + Affected range : >=4.0.0 + : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22 + Affected range : >=4.0.0 + : <=4.17.22 + Fixed version : 4.17.23 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P + + ✗ MEDIUM CVE-2026-2950 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-2950?s=github&n=lodash&t=npm&vr=%3C%3D4.17.23 + Affected range : <=4.17.23 + Fixed version : 4.18.0 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + + + 0C 1H 1M 0L validator 13.15.15 +pkg:npm/validator@13.15.15 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2025-12758 [Encoding Error] + https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22 + Affected range : <13.15.22 + Fixed version : 13.15.22 + CVSS Score : 7.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P + + ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20 + Affected range : <13.15.20 + Fixed version : 13.15.20 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + + 0C 1H 1M 0L picomatch 4.0.3 +pkg:npm/picomatch@4.0.3 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions] + https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6 + Affected range : >=4.0.0 + : <4.2.6 + Fixed version : 4.2.6 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 1M 0L picomatch 2.3.1 +pkg:npm/picomatch@2.3.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-33671 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-33671?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2026-33672 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-33672?s=github&n=picomatch&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L sequelize 6.37.7 +pkg:npm/sequelize@6.37.7 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] + https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7 + Affected range : >=6.0.0-beta.1 + : <=6.37.7 + Fixed version : 6.37.8 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L path-to-regexp 0.1.12 +pkg:npm/path-to-regexp@0.1.12 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2026-4867 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-4867?s=github&n=path-to-regexp&t=npm&vr=%3C0.1.13 + Affected range : <0.1.13 + Fixed version : 0.1.13 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L glob 10.4.5 +pkg:npm/glob@10.4.5 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0 + Affected range : >=10.2.0 + : <10.5.0 + Fixed version : 11.1.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 0H 1M 1L qs 6.13.0 +pkg:npm/qs@6.13.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2025-15284 [Improper Input Validation] + https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1 + Affected range : <6.14.1 + Fixed version : 6.14.1 + CVSS Score : 6.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L + + ✗ LOW CVE-2026-2391 [Improper Input Validation] + https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1 + Affected range : >=6.7.0 + : <=6.14.1 + Fixed version : 6.14.2 + CVSS Score : 3.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L brace-expansion 1.1.12 +pkg:npm/brace-expansion@1.1.12 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2026-33750 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2026-33750?s=github&n=brace-expansion&t=npm&vr=%3C1.1.13 + Affected range : <1.1.13 + Fixed version : 5.0.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L file-type 16.5.4 +pkg:npm/file-type@16.5.4 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')] + https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1 + Affected range : >=13.0.0 + : <21.3.1 + Fixed version : 21.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 1M 0L dottie 2.0.6 +pkg:npm/dottie@2.0.6 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6 + Affected range : >=2.0.4 + : <=2.0.6 + Fixed version : 2.0.7 + CVSS Score : 6.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L brace-expansion 2.0.2 +pkg:npm/brace-expansion@2.0.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2026-33750 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2026-33750?s=github&n=brace-expansion&t=npm&vr=%3E%3D2.0.0%2C%3C2.0.3 + Affected range : >=2.0.0 + : <2.0.3 + Fixed version : 5.0.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L ip-address 10.0.1 +pkg:npm/ip-address@10.0.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2026-42338 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2026-42338?s=github&n=ip-address&t=npm&vr=%3C%3D10.1.0 + Affected range : <=10.1.0 + Fixed version : 10.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N + + + 0C 0H 1M 0L js-yaml 3.14.1 +pkg:npm/js-yaml@3.14.1 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2 + Affected range : <3.14.2 + Fixed version : 4.1.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + 0C 0H 0M 1L @tootallnate/once 2.0.0 +pkg:npm/%40tootallnate/once@2.0.0 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + 0C 0H 0M 1L diff 4.0.2 +pkg:npm/diff@4.0.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4 + Affected range : >=4.0.0 + : <4.0.4 + Fixed version : 4.0.4 + CVSS Score : 2.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U + + + 0C 0H 0M 1L @tootallnate/once 1.1.2 +pkg:npm/%40tootallnate/once@1.1.2 + +https://github.com/juice-shop/juice-shop/blob/36870cbbdfe7864698e1adf644c7bf772f67ebb7/Dockerfile#L38-L38 +COPY --from=installer --chown=65532:0 /juice-shop . + + ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping] + https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1 + Affected range : <3.0.1 + Fixed version : 3.0.1 + CVSS Score : 1.9 + CVSS Vector : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P + + + +162 vulnerabilities found in 55 packages + CRITICAL 22 + HIGH 79 + MEDIUM 46 + LOW 8 + UNSPECIFIED 7 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..bf16f11f --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,362 @@ + +Testing bkimminich/juice-shop:v19.0.0... + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2025-69421 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.18-1~deb12u2 + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2026-28388 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15969313 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.19-1~deb12u2 + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2026-28390 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15969319 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.19-1~deb12u2 + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2026-28387 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15969321 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.19-1~deb12u2 + +✗ High severity vulnerability found in openssl/libssl3 + Description: CVE-2026-28389 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15969324 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.19-1~deb12u2 + +✗ Critical severity vulnerability found in openssl/libssl3 + Description: CVE-2026-31789 + Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15969314 + Introduced through: openssl/libssl3@3.0.17-1~deb12u2 + From: openssl/libssl3@3.0.17-1~deb12u2 + Fixed in: 3.0.19-1~deb12u2 + +------------ Detected 7 vulnerabilities for node@22.18.0 ------------ + + +✗ High severity vulnerability found in node + Description: UNIX Symbolic Link (Symlink) Following + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-15763402 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.2 + +✗ High severity vulnerability found in node + Description: Uncaught Exception + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-15763406 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.2 + +✗ Critical severity vulnerability found in node + Description: Race Condition + Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492 + Introduced through: node@22.18.0 + From: node@22.18.0 + Fixed in: 22.22.0 + +Organization: rightrat42 +Package manager: deb +Project name: docker-image|bkimminich/juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Platform: linux/amd64 +Target OS: Distroless +Licenses: enabled + +Tested 10 dependencies for known issues, found 13 issues. + +------------------------------------------------------- + +Testing bkimminich/juice-shop:v19.0.0... + +Tested 975 dependencies for known issues, found 68 issues. + + +Issues to fix by upgrading: + + Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix + ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s) + + Upgrade express@4.21.2 to express@4.22.0 to fix + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0 + introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s) + + Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + + Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix + ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3 + introduced by express-jwt@0.1.3 + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0 + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade glob@10.4.5 to glob@12.0.0 to fix + ✗ Infinite loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759] in brace-expansion@1.1.12 + introduced by grunt@1.6.1 > minimatch@3.0.8 > brace-expansion@1.1.12 and 18 other path(s) + ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5 + introduced by glob@10.4.5 and 1 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5 + introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s) + ✗ Inefficient Algorithmic Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade grunt@1.6.1 to grunt@1.6.2 to fix + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix + ✗ Infinite loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759] in brace-expansion@1.1.12 + introduced by grunt@1.6.1 > minimatch@3.0.8 > brace-expansion@1.1.12 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade hbs@4.2.0 to hbs@4.2.1 to fix + ✗ Improper Encoding or Escaping of Output [High Severity][https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-15807040] in handlebars@4.7.7 + introduced by hbs@4.2.0 > handlebars@4.7.7 + ✗ Improper Check for Unusual or Exceptional Conditions [High Severity][https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-15807042] in handlebars@4.7.7 + introduced by hbs@4.2.0 > handlebars@4.7.7 + ✗ Access of Resource Using Incompatible Type ('Type Confusion') [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-15803082] in handlebars@4.7.7 + introduced by hbs@4.2.0 > handlebars@4.7.7 + ✗ Access of Resource Using Incompatible Type ('Type Confusion') [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-15803084] in handlebars@4.7.7 + introduced by hbs@4.2.0 > handlebars@4.7.7 + ✗ Access of Resource Using Incompatible Type ('Type Confusion') [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-15803086] in handlebars@4.7.7 + introduced by hbs@4.2.0 > handlebars@4.7.7 + + Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix + ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + + Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix + ✗ Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Resource after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Incomplete Cleanup [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + + Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix + ✗ Infinite loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759] in brace-expansion@1.1.12 + introduced by grunt@1.6.1 > minimatch@3.0.8 > brace-expansion@1.1.12 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix + ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0 + introduced by pdfkit@0.11.0 > crypto-js@3.3.0 + + Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix + ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Arbitrary Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-15869625] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 and 15 other path(s) + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + + Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix + ✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7 + introduced by sequelize@6.37.7 + + Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6 + introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2 + introduced by socket.io@3.1.2 + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2 + introduced by socket.io@3.1.2 > engine.io@4.1.2 + + Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + ✗ Symlink Attack [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3 + introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s) + + Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix + ✗ Infinite loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759] in brace-expansion@1.1.12 + introduced by grunt@1.6.1 > minimatch@3.0.8 > brace-expansion@1.1.12 and 18 other path(s) + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + ✗ Inefficient Algorithmic Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2 + introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s) + + +Issues with no direct upgrade or patch: + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2 + introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2 + No upgrade or patch available + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11 + introduced by marsdb@0.6.11 + No upgrade or patch available + ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-PICOMATCH-15765511] in picomatch@4.0.3 + introduced by grunt@1.6.1 > findup-sync@5.0.0 > micromatch@4.0.8 > picomatch@2.3.1 and 4 other path(s) + This issue was fixed in versions: 2.3.2, 3.0.2, 4.0.4 + ✗ Improper Validation of Specified Index, Position, or Offset in Input [High Severity][https://security.snyk.io/vuln/SNYK-JS-UUID-16133035] in uuid@8.3.2 + introduced by sequelize@6.37.7 > uuid@8.3.2 + This issue was fixed in versions: 11.1.1, 14.0.0 + ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15 + introduced by sequelize@6.37.7 > validator@13.15.15 + This issue was fixed in versions: 13.15.22 + ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.2 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16419418] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16419531] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.5 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16419533] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16419539] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16438371] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16438924] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16438932] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16438945] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16438976] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Improper Isolation or Compartmentalization [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16439011] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Symlink Attack [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16439013] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.0 + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-16624524] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.11.2 + ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.9.18 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.10.0 + + + +Organization: rightrat42 +Package manager: npm +Target file: /juice-shop/package.json +Project name: juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Licenses: enabled + + +Tested 2 projects, 2 contained vulnerable paths. + + +