arangodb icon indicating copy to clipboard operation
arangodb copied to clipboard

Published 20 hours ago • verified publisher icon arangodb

Security Vulnerabilities in Latest version of Arango Db

Open gaurang-srivastava09 opened this issue 2 years ago • 1 comments
trafficstars

My Environment

  • ArangoDB Version: 3.11.5

Problem: Arando Db is using [github.com/docker/docker] [24.0.2] package which is having following indirect critical vulnerabilities:

CVE-2023-39323 CVE-2023-39320

And following high vulnerabilities:

CVE-2023-44487 CVE-2023-39325 CVE-2023-39322 CVE-2023-39321

Also, [nodejs] [16.20.2-r0] with following vulnerabilities: CVE-2023-39332 CVE-2023-39331

Please let us know impact of these vulnerabilities on normal operation of Arango Db and estimated time when these vulnerabilities will be fixed.

gaurang-srivastava09 avatar Nov 21 '23 17:11 gaurang-srivastava09

  • regarding the nodejs issues; while ArangoDB implements a similar javascript interface the C++ implementations below it differs quiet a bit. --javascript.files-allowlist and other parameters can be utilized to harden the server, see https://docs.arangodb.com/3.11/operations/security/security-options/ for detailed explanation.
  • the docker library is used in the arangodb starter; we're currently working on its next release with upgraded dependencies. If you use i.e. kubernetes to controll your arangodb installation, this binary is not used.

dothebart avatar Nov 22 '23 11:11 dothebart

@dothebart please confirm if the issue with Docker is fixed now

gaurang-srivastava09 avatar Jul 01 '24 14:07 gaurang-srivastava09

ArangoDB 3.11.9 comes with the ArangoDB Starter v0.18.5 which has upgraded dependencies. ArangoDB 3.11.10 will come in the next days and contain the Starter v0.18.6 with more updates.

dothebart avatar Jul 01 '24 14:07 dothebart

closing as solved.

dothebart avatar Jul 02 '24 15:07 dothebart