code-server
code-server copied to clipboard
coder
Critical CVEs found when scanning latest image
When scanning the latest version of the code-server image, our scanner found two critical CVEs:
- Image:
ghcr.io/coder/code-server:4.105.1(digest:sha256:2d48970bd2084aa34a522d772b6a437981ea80407465b3bf7958553985c570e1) - Scanner: Trivy v0.58.2
- Critical CVEs:
- CVE-2023-45853 in version
1:1.2.13.dfsg-1of packagezlib1g - CVE-2024-24790 in version
v1.20.7of packagestdlib(fixed in versions1.21.11,1.22.4)
- CVE-2023-45853 in version
CVE-2024-24790seems to be contained in every image flavour, not just debian
Due to our security policy, these CVEs block us from deploying code-server in our environment. Is there any chance of updating these dependencies? (Or are they false-positives?)
Hm these are system packages installed in the image? I will redeploy the Docker builds which should update everything.
Not sure why our nightly Trivy scan did not pick up anything 😢
Oh wait CVE-2024-24790 did come up but it said it was for fixuid, and fixuid makes no network requests. I do not believe there is a new version of fixuid in any case.
CVE-2023-45853 does not seem to have come up before in our scans, but I checked debian:12 and the latest still seems to be zlib1g 1.2.13 so nothing we can update there either. Have not checked the other images yet.
Thanks for the quick response! I did some more scanning and came to the following conclusion:
- CVE-2024-24790 is a false-positive because while the affected gobinary,
usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods. - CVE-2023-45853 is an actual vulnerability, but it only applies to the
debianflavour of code-server and can be bypassed by using another flavour likeubuntu.
Can you confirm?
CVE-2024-24790 is a false-positive because while the affected gobinary, usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods.
Yup, exactly.
CVE-2023-45853 is an actual vulnerability, but it only applies to the debian flavour of code-server and can be bypassed by using another flavour like ubuntu.
No, looks like most flavors are affected. I went through them all and these have versions <= 1.3:
- debian:12 (zlib1g 1.2.13)
- ubuntu:focal (zlib1g 1.2.11)
- ubuntu:noble (zlib1g 1.3)
- fedora:39 (zlib 1.2.13)
The opensuse image does not appear to have zlib installed at all, so I suppose it is unaffected? I am not familiar with opensuse though, maybe I am using the package tool incorrectly.
No, looks like most flavors are affected.
My scans do not confirm this. Using a newer version of Trivy (0.67.2), I can only find false-positives (#6332) ...
code-server:4.105.1-focal
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-focal -s CRITICAL --scanners=vuln --table-mode=detailed -q
Output:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed │ 1.105.1 │ 4.10.1 │ code-server vulnerable to Missing Origin Validation in │
│ │ │ │ │ │ │ WebSockets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26114 │
├────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json) │ CVE-2019-19919 │ │ │ 1.0.0 │ 4.3.0, 3.0.8 │ nodejs-handlebars: prototype pollution leading to remote │
│ │ │ │ │ │ │ code execution via crafted payloads │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19919 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23369 │ │ │ │ 4.7.7 │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with strict:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23369 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23383 │ │ │ │ │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with compat:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23383 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ v1.20.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
code-server:4.105.1-noble
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-noble -s CRITICAL --scanners=vuln --table-mode=detailed -q
Output:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed │ 1.105.1 │ 4.10.1 │ code-server vulnerable to Missing Origin Validation in │
│ │ │ │ │ │ │ WebSockets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26114 │
├────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json) │ CVE-2019-19919 │ │ │ 1.0.0 │ 4.3.0, 3.0.8 │ nodejs-handlebars: prototype pollution leading to remote │
│ │ │ │ │ │ │ code execution via crafted payloads │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19919 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23369 │ │ │ │ 4.7.7 │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with strict:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23369 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23383 │ │ │ │ │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with compat:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23383 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ v1.20.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
code-server:4.105.1-fedora
Command:
$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-fedora -s CRITICAL --scanners=vuln --table-mode=detailed -q
Output:
Node.js (node-pkg)
Total: 4 (CRITICAL: 4)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed │ 1.105.1 │ 4.10.1 │ code-server vulnerable to Missing Origin Validation in │
│ │ │ │ │ │ │ WebSockets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26114 │
├────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json) │ CVE-2019-19919 │ │ │ 1.0.0 │ 4.3.0, 3.0.8 │ nodejs-handlebars: prototype pollution leading to remote │
│ │ │ │ │ │ │ code execution via crafted payloads │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19919 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23369 │ │ │ │ 4.7.7 │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with strict:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23369 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2021-23383 │ │ │ │ │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with compat:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23383 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/fixuid (gobinary)
Total: 1 (CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ v1.20.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
Am I missing something?
Hmm I am not sure, all I did was run the container and check the package manager for what was installed. One example:
$ docker run --rm -it --entrypoint bash codercom/code-server:4.105.1-focal
$ apt show zlib1g
Package: zlib1g
Version: 1:1.2.11.dfsg-2ubuntu1.5
Status: install ok installed
Priority: required
Section: libs
Source: zlib
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Mark Brown <[email protected]>
Installed-Size: 168 kB
Provides: libz1
Depends: libc6 (>= 2.14)
Conflicts: zlib1 (<= 1:1.0.4-7)
Breaks: libxml2 (<< 2.7.6.dfsg-2), texlive-binaries (<< 2009-12)
Homepage: http://zlib.net/
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: compression library - runtime
zlib is a library implementing the deflate compression method found
in gzip and PKZIP. This package includes the shared library.
Actually, looking at the CVE more closely, it says MiniZip in zlib and MiniZip is not a supported part of the zlib product so maybe this is something only Debian is including or something. If Trivy says everything is fine, that is probably true.
Looking through https://github.com/madler/zlib/pull/843#issuecomment-2130408505 it seems like zlib being vulnerable in Debian is actually a false positive too.
The source code of that particular version of zlib has a vulnerability, but the vulnerable part isn't in the Debian package. The Debian binary for zlib doesn't contain the vulnerable code.