runner
runner copied to clipboard
actions
Node20 Externals Version needs upgrade [CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019]
Describe the bug Security scanning of the default installation method results in CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019 being tripped based on the current version of Node JS 20 set in externals.
To Reproduce Steps to reproduce the behavior:
Take latest installation from releases including runtimes and externals. Example: actions-runner-linux-x64-2.309.0.tar.gz Uncompress Run security scan (e.g. Wiz) Expected behavior Clean security report
Runner Version and Platform v2.316.0
OS of the machine running the runner?
Linux
What's not working? CPE vulnerabilities: Name: cpe:2.3:a:nodejs:node.js, Version: 20.8.1, Path: /home/runner/externals/node20/bin/node CVE-2024-21892, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21892 Fixed version: 20.11.1 CVE-2024-21896, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21896 Fixed version: 20.11.1 CVE-2024-22017, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-22017 Fixed version: 20.11.1 CVE-2024-22019, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-22019 Fixed version: 20.11.1 CVE-2023-46809, Severity: MEDIUM, Source: Fixed version: 20.11.1 CVE-2024-21890, Severity: MEDIUM, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21890 Fixed version: 20.11.1 CVE-2024-21891, Severity: MEDIUM, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21891 Fixed version: 20.11.1
Same question here. Our internal vulnerability scans are lighting up about this one and I see that it was merged 3 days ago but the latest version of ghcr.io/actions/actions-runner:latest is 15 days old. Would really like to get this one remediated so any guidance would be appreciated!
