SYNK-3: Fix CVE-2023-38545 - Upgrade curl packages to resolve CVSS 9.8 critical vulnerability #19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…l vulnerability - JIRA Ticket: SYNK-3 - CVE: CVE-2023-38545 (CVSS 9.8 Critical) - Upgraded curl packages from 7.74.0-1.3+deb11u3 to 7.74.0-1.3+deb11u15 - Added explicit apt-get upgrade command in Dockerfile after base image - Packages upgraded: curl, libcurl3-gnutls, libcurl4, libcurl4-openssl-dev - This fixes container-level infrastructure vulnerability without affecting application code - Educational vulnerable components remain intact for security testing purposes
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SYNK-3: Fix CVE-2023-38545 - Upgrade curl packages to resolve CVSS 9.8 critical vulnerability
Summary
This PR fixes a critical curl vulnerability (CVE-2023-38545, CVSS 9.8) in the nodejs-goof Docker container by explicitly upgrading curl packages in the Dockerfile. The fix adds a single RUN command after the base image declaration to upgrade curl from version
7.74.0-1.3+deb11u3to7.74.0-1.3+deb11u15, which resolves the out-of-bounds write vulnerability.Changed packages:
curl: 7.74.0-1.3+deb11u3 → 7.74.0-1.3+deb11u15libcurl3-gnutls: 7.74.0-1.3+deb11u3 → 7.74.0-1.3+deb11u15libcurl4: 7.74.0-1.3+deb11u3 → 7.74.0-1.3+deb11u15libcurl4-openssl-dev: 7.74.0-1.3+deb11u3 → 7.74.0-1.3+deb11u15This is an infrastructure-level security fix that does not modify application code or affect the intentional educational vulnerabilities in nodejs-goof.
Review & Testing Checklist for Human
Please verify the following before merging:
Test full application runtime - Run
docker-compose upand verify the nodejs-goof application starts successfully and functions normally with MongoDB and MySQL databases connected (I only verified the Docker build succeeds and curl version is upgraded, but did not test full runtime)Verify curl version - Run
docker run --rm --entrypoint /bin/bash <image> -c "dpkg -l | grep curl"to confirm all curl packages are version7.74.0-1.3+deb11u10or higherCheck educational vulnerabilities - Verify that the intentional security demonstration features (NoSQL injection, XSS, etc.) still work as expected and can be exploited via the exploit scripts in the
exploits/directoryReview build time impact - The apt-get upgrade adds approximately 36 seconds to the Docker build. Confirm this is acceptable for your CI/CD pipeline
Notes
apt-get clean && rm -rf /var/lib/apt/lists/*to minimize image size impactnode:18.13.0base image for consistency with the current setupLink to Devin run: https://app.devin.ai/sessions/70a625a1cfa24a0381a197ec8ad1e6d1
Requested by: Shawn Azman ([email protected]) / @ShawnAzman