Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency coder/code-server to v4.90.3 #5476

Merged
merged 1 commit into from
Jun 22, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
coder/code-server patch 4.90.2 -> 4.90.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

coder/code-server (coder/code-server)

v4.90.3

Compare Source

Changed
  • Updated to Code 1.90.2.
Fixed
  • When the log gets rotated it will no longer incorrectly be moved to a new
    directory created in the current working directory named with a date.
    Instead, the file itself is prepended with the date and kept in the same
    directory, as originally intended.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/code-server:4.90.3

📦 Image Reference ghcr.io/uniget-org/tools/code-server:4.90.3
digestsha256:457c94d97d4a239797cdf15c4cc7fd72a6eaf4e23631c2d77b25af878756f1d2
vulnerabilitiescritical: 3 high: 22 medium: 4 low: 2 unspecified: 8
platformlinux/amd64
size97 MB
packages385
critical: 3 high: 5 medium: 1 low: 0 unspecified: 5handlebars 1.0.0 (npm)

pkg:npm/[email protected]

critical 9.8: CVE--2021--23383 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range<4.7.7
Fixed version4.7.7
CVSS Score9.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

critical 9.8: CVE--2021--23369 Improper Control of Generation of Code ('Code Injection')

Affected range<4.7.7
Fixed version4.7.7
CVSS Score9.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

critical 9.8: CVE--2019--19919 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range<3.0.8
Fixed version4.3.0
CVSS Score9.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

high 8.1: CVE--2019--20920 Improper Control of Generation of Code ('Code Injection')

Affected range<3.0.8
Fixed version3.0.8
CVSS Score8.1
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
Description

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

high 7.3: GHSA--q42p--pg8m--cqh6 Modification of Assumed-Immutable Data (MAID)

Affected range<3.0.7
Fixed version3.0.7
CVSS Score7.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Description

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later.
For handlebars 4.0.x upgrade to 4.0.14 or later.

high 7.3: GHSA--2cf5--4w76--r9qv Improper Control of Generation of Code ('Code Injection')

Affected range<3.0.8
Fixed version3.0.8
CVSS Score7.3
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
Description

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

	{{#with split as |a|}}
		{{pop (push "alert('Vulnerable Handlebars JS');")}}
		{{#with (concat (lookup join (slice 0 1)))}}
			{{#each (slice 2 3)}}
				{{#with (apply 0 a)}}
					{{.}}
				{{/with}}
			{{/each}}
		{{/with}}
	{{/with}}
{{/with}}```


## Recommendation

Upgrade to version 3.0.8, 4.5.2 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GHSA-q2c6-c6pm-g3gh?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--q2c6--c6pm--g3gh" src="https://img.shields.io/badge/GHSA--q2c6--c6pm--g3gh-lightgrey?label=high%20&labelColor=e25d68"/></a> 

<table>
<tr><td>Affected range</td><td><code><3.0.8</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).


## Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GHSA-g9r4-xpmj-mj65?s=github&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="high : GHSA--g9r4--xpmj--mj65" src="https://img.shields.io/badge/GHSA--g9r4--xpmj--mj65-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</i>

<table>
<tr><td>Affected range</td><td><code><3.0.8</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.8</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.


## Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2015-8861?s=github&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="medium 6.1: CVE--2015--8861" src="https://img.shields.io/badge/CVE--2015--8861-lightgrey?label=medium%206.1&labelColor=fbb552"/></a> <i>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</i>

<table>
<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
<tr><td>Fixed version</td><td><code>4.0.0</code></td></tr>
<tr><td>CVSS Score</td><td><code>6.1</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.


## Proof of Concept
Template:
```<a href={{foo}}/>```

Input:
```{ 'foo' : 'test.com onload=alert(1)'}```

Rendered result:
```<a href=test.com onload=alert(1)/>```


## Recommendation

Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2020-730?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--730" src="https://img.shields.io/badge/GMS--2020--730-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><3.0.8</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.8, 4.5.3</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2020-729?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--729" src="https://img.shields.io/badge/GMS--2020--729-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><3.0.8</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.8, 4.5.3</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2020-727?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.8"><img alt="unspecified : GMS--2020--727" src="https://img.shields.io/badge/GMS--2020--727-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><3.0.8</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.8, 4.5.2</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2019-126?s=gitlab&n=handlebars&t=npm&vr=%3C3.0.7"><img alt="unspecified : GMS--2019--126" src="https://img.shields.io/badge/GMS--2019--126-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><3.0.7</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.7, 4.0.14, 4.1.2</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2015-33?s=gitlab&n=handlebars&t=npm&vr=%3C4.0.0"><img alt="unspecified : GMS--2015--33" src="https://img.shields.io/badge/GMS--2015--33-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
<tr><td>Fixed version</td><td><code>4.0.0</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The library does not properly escape attribute values making XSS exploits possible.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 5" src="https://img.shields.io/badge/H-5-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>npm</strong> <code>1.0.1</code> (npm)</summary>

<small><code>pkg:npm/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2018-7408?s=github&n=npm&t=npm&vr=%3C5.7.1"><img alt="high 7.8: CVE--2018--7408" src="https://img.shields.io/badge/CVE--2018--7408-lightgrey?label=high%207.8&labelColor=e25d68"/></a> <i>Incorrect Permission Assignment for Critical Resource</i>

<table>
<tr><td>Affected range</td><td><code><5.7.1</code></td></tr>
<tr><td>Fixed version</td><td><code>5.7.1</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.8</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2019-16777?s=github&n=npm&t=npm&vr=%3C6.13.4"><img alt="high 7.7: CVE--2019--16777" src="https://img.shields.io/badge/CVE--2019--16777-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i>

<table>
<tr><td>Affected range</td><td><code><6.13.4</code></td></tr>
<tr><td>Fixed version</td><td><code>6.13.4</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.7</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Versions of  the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. 

For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.4 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2019-16776?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16776" src="https://img.shields.io/badge/CVE--2019--16776-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i>

<table>
<tr><td>Affected range</td><td><code><6.13.3</code></td></tr>
<tr><td>Fixed version</td><td><code>6.13.3</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.7</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected.  

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.3 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2019-16775?s=github&n=npm&t=npm&vr=%3C6.13.3"><img alt="high 7.7: CVE--2019--16775" src="https://img.shields.io/badge/CVE--2019--16775-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i>

<table>
<tr><td>Affected range</td><td><code><6.13.3</code></td></tr>
<tr><td>Fixed version</td><td><code>6.13.3</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.7</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.3 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2016-3956?s=github&n=npm&t=npm&vr=%3C%3D2.15.0"><img alt="high : CVE--2016--3956" src="https://img.shields.io/badge/CVE--2016--3956-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Exposure of Sensitive Information to an Unauthorized Actor</i>

<table>
<tr><td>Affected range</td><td><code><=2.15.0</code></td></tr>
<tr><td>Fixed version</td><td><code>2.15.1</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Affected versions of the `npm` package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry. 

An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.

This compromised token could be used to do anything that the user could do, including publishing new packages.




## Recommendation

1. Update npm with `npm install npm@latest -g`
2. [Revoke your Tokens](https://www.npmjs.com/settings/tokens)
3. Enable [Two-Factor Authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication)

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2020-15095?s=github&n=npm&t=npm&vr=%3C6.14.6"><img alt="medium 4.4: CVE--2020--15095" src="https://img.shields.io/badge/CVE--2020--15095-lightgrey?label=medium%204.4&labelColor=fbb552"/></a> <i>Insertion of Sensitive Information into Log File</i>

<table>
<tr><td>Affected range</td><td><code><6.14.6</code></td></tr>
<tr><td>Fixed version</td><td><code>6.14.6</code></td></tr>
<tr><td>CVSS Score</td><td><code>4.4</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2013-4116?s=github&n=npm&t=npm&vr=%3C1.3.3"><img alt="low : CVE--2013--4116" src="https://img.shields.io/badge/CVE--2013--4116-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Improper Link Resolution Before File Access ('Link Following')</i>

<table>
<tr><td>Affected range</td><td><code><1.3.3</code></td></tr>
<tr><td>Fixed version</td><td><code>1.3.3</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

Affected versions of `npm` use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the `npm` process has permission to write to, potentially resulting in local privilege escalation.



## Recommendation

Update to version 1.3.3 or later.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2016-23?s=gitlab&n=npm&t=npm&vr=%3C%3D%2C2.15.0"><img alt="unspecified : GMS--2016--23" src="https://img.shields.io/badge/GMS--2016--23-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><=<br/>2.15.0</code></td></tr>
<tr><td>Fixed version</td><td><code>2.15.1, 3.8.3</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

The primary npm registry has, since late, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install. This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>grunt</strong> <code>1.0.0</code> (npm)</summary>

<small><code>pkg:npm/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2020-7729?s=github&n=grunt&t=npm&vr=%3C1.3.0"><img alt="high 7.1: CVE--2020--7729" src="https://img.shields.io/badge/CVE--2020--7729-lightgrey?label=high%207.1&labelColor=e25d68"/></a> <i>Initialization of a Resource with an Insecure Default</i>

<table>
<tr><td>Affected range</td><td><code><1.3.0</code></td></tr>
<tr><td>Fixed version</td><td><code>1.3.0</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.1</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2022-1537?s=github&n=grunt&t=npm&vr=%3C1.5.3"><img alt="high 7.0: CVE--2022--1537" src="https://img.shields.io/badge/CVE--2022--1537-lightgrey?label=high%207.0&labelColor=e25d68"/></a> <i>Time-of-check Time-of-use (TOCTOU) Race Condition</i>

<table>
<tr><td>Affected range</td><td><code><1.5.3</code></td></tr>
<tr><td>Fixed version</td><td><code>1.5.3</code></td></tr>
<tr><td>CVSS Score</td><td><code>7</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2022-0436?s=github&n=grunt&t=npm&vr=%3C1.5.2"><img alt="medium 5.5: CVE--2022--0436" src="https://img.shields.io/badge/CVE--2022--0436-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</i>

<table>
<tr><td>Affected range</td><td><code><1.5.2</code></td></tr>
<tr><td>Fixed version</td><td><code>1.5.2</code></td></tr>
<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Grunt prior to version 1.5.2 is vulnerable to path traversal.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>pug</strong> <code>1.0.0</code> (npm)</summary>

<small><code>pkg:npm/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2024-36361?s=github&n=pug&t=npm&vr=%3C%3D3.0.2"><img alt="high 8.1: CVE--2024--36361" src="https://img.shields.io/badge/CVE--2024--36361-lightgrey?label=high%208.1&labelColor=e25d68"/></a> <i>Improper Control of Generation of Code ('Code Injection')</i>

<table>
<tr><td>Affected range</td><td><code><=3.0.2</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.3</code></td></tr>
<tr><td>CVSS Score</td><td><code>8.1</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2021-21353?s=github&n=pug&t=npm&vr=%3C3.0.1"><img alt="high 6.8: CVE--2021--21353" src="https://img.shields.io/badge/CVE--2021--21353-lightgrey?label=high%206.8&labelColor=e25d68"/></a> <i>Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')</i>

<table>
<tr><td>Affected range</td><td><code><3.0.1</code></td></tr>
<tr><td>Fixed version</td><td><code>3.0.1</code></td></tr>
<tr><td>CVSS Score</td><td><code>6.8</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

### Impact

If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

### Patches

Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter.

### Workarounds

If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

### References


Original report: https://github.com/pugjs/pug/issues/3312

### For more information

If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md)

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>node</strong> <code>20.11.1</code> (generic)</summary>

<small><code>pkg:generic/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2024-27983?s=docker&n=node&t=generic&vr=%3E%3D20.0.0%2C%3C20.12.1"><img alt="high : CVE--2024--27983" src="https://img.shields.io/badge/CVE--2024--27983-lightgrey?label=high%20&labelColor=e25d68"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=20.0.0<br/><20.12.1</code></td></tr>
<tr><td>Fixed version</td><td><code>20.12.1</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>



</blockquote>
</details>

<a href="https://scout.docker.com/v/CVE-2024-27982?s=docker&n=node&t=generic&vr=%3E%3D20.0.0%2C%3C20.12.1"><img alt="medium : CVE--2024--27982" src="https://img.shields.io/badge/CVE--2024--27982-lightgrey?label=medium%20&labelColor=fbb552"/></a> 

<table>
<tr><td>Affected range</td><td><code>>=20.0.0<br/><20.12.1</code></td></tr>
<tr><td>Fixed version</td><td><code>20.12.1</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>



</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>diff</strong> <code>1.0.0</code> (npm)</summary>

<small><code>pkg:npm/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/GHSA-h6ch-v84p-w6p9?s=github&n=diff&t=npm&vr=%3C3.5.0"><img alt="high : GHSA--h6ch--v84p--w6p9" src="https://img.shields.io/badge/GHSA--h6ch--v84p--w6p9-lightgrey?label=high%20&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>

<table>
<tr><td>Affected range</td><td><code><3.5.0</code></td></tr>
<tr><td>Fixed version</td><td><code>3.5.0</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

</blockquote>
</details>

<a href="https://scout.docker.com/v/GMS-2019-21?s=gitlab&n=diff&t=npm&vr=%3C3.5.0"><img alt="unspecified : GMS--2019--21" src="https://img.shields.io/badge/GMS--2019--21-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>

<table>
<tr><td>Affected range</td><td><code><3.5.0</code></td></tr>
<tr><td>Fixed version</td><td><code>3.5.0</code></td></tr></table>

<details><summary>Description</summary>
<blockquote>

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

</blockquote>
</details>
</details></td></tr>

<tr><td valign="top">
<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>ws</strong> <code>8.17.0</code> (npm)</summary>

<small><code>pkg:npm/[email protected]</code></small><br/>
<a href="https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D8.0.0%2C%3C8.17.1"><img alt="high 7.5: CVE--2024--37890" src="https://img.shields.io/badge/CVE--2024--37890-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>NULL Pointer Dereference</i>

<table>
<tr><td>Affected range</td><td><code>>=8.0.0<br/><8.17.1</code></td></tr>
<tr><td>Fixed version</td><td><code>8.17.1</code></td></tr>
<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
</table>

<details><summary>Description</summary>
<blockquote>

### Impact

A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.

### Proof of concept

```js
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

References

critical: 0 high: 1 medium: 0 low: 0 json 1.0.0 (npm)

pkg:npm/[email protected]

high 7.2: CVE--2020--7712 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected range<10.0.0
Fixed version10.0.0
CVSS Score7.2
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Description

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

critical: 0 high: 1 medium: 0 low: 0 ip 1.1.9 (npm)

pkg:npm/[email protected]

high : CVE--2024--29415 Server-Side Request Forgery (SSRF)

Affected range<=2.0.1
Fixed versionNot Fixed
Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

critical: 0 high: 1 medium: 0 low: 0 ini 1.0.0 (npm)

pkg:npm/[email protected]

high 7.3: CVE--2020--7788 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range<1.3.6
Fixed version1.3.6
CVSS Score7.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Description

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
critical: 0 high: 1 medium: 0 low: 0 ip 2.0.1 (npm)

pkg:npm/[email protected]

high : CVE--2024--29415 Server-Side Request Forgery (SSRF)

Affected range<=2.0.1
Fixed versionNot Fixed
Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

critical: 0 high: 1 medium: 0 low: 0 braces 3.0.2 (npm)

pkg:npm/[email protected]

high 7.5: CVE--2024--4068 Excessive Platform Resource Consumption within a Loop

Affected range<3.0.3
Fixed version3.0.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

critical: 0 high: 0 medium: 0 low: 1 unspecified: 1markdown 1.0.0 (npm)

pkg:npm/[email protected]

low : GHSA--wx77--rp39--c6vg Uncontrolled Resource Consumption

Affected range>=0.0.0
Fixed versionNot Fixed
Description

All versions of markdown are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

unspecified : GMS--2020--366 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range>=0
Fixed versionNot Fixed
Description

All versions of markdown are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. No fix is currently available. Consider using an alternative package until a fix is made available.

Copy link

Copy link

@github-actions github-actions bot merged commit ea84f7f into main Jun 22, 2024
9 checks passed
@github-actions github-actions bot deleted the renovate/coder-code-server-4.90.x branch June 22, 2024 01:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants