runner icon indicating copy to clipboard operation
runner copied to clipboard
verified publisher icon actions

Update IP package in Node to 2.0.1 (CVE-2023-42282)

Open hiwit opened this issue 1 year ago • 3 comments

The provided Node package (externals/nodeXX) contains the node-ip version <2.0.1 which might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. (https://nvd.nist.gov/vuln/detail/CVE-2023-42282)

When action-runner is deployed as ECS task this is reported as a finding/vulnerability

Runner Version and Platform

3.15.0 Linux (probably all other platforms as well)

hiwit avatar Apr 16 '24 09:04 hiwit

It seems that both the action-runner images (v2.314.1 and possibly v2.315.0, if details haven't changed) are still facing the CVE-2023-42282 vulnerability associated with the 'ip' package. The 'ip' package version remains below 2.0.1, making it vulnerable. Could you help us address this issue?

SajeedAnsari avatar Apr 22 '24 07:04 SajeedAnsari

Yes, I too found this issue. Waiting for response

Mano-3 avatar Aug 07 '24 10:08 Mano-3

The latest release 2.319.0 still has the issue on node16 has the ip 2.0.0 with the cve

philthethrill99 avatar Aug 09 '24 00:08 philthethrill99