openanalytics
Security scanner flagging jar file for upgrade.
I am pulling the shinyproxy image:
FROM openanalytics/shinyproxy:3.1.1
In a routine security scanning the scanner printed the following about the shinyproxy.jar file. I am not sure what it means. The versions clearly don't align with anything about shinyproxy releases. Is it something in the jar file or about the way it was built?
/opt/docker/overlay2/2941cc1d079118aedff759fc1910234ffb1fe3f70fb236c2df574451eb7d0390/merged/opt/shinyproxy/shinyproxy.jar Installed version : 6.2.4 Fixed version : 6.2.7
Hi, looking at the version number, I expects this flag is about spring framework. We closely follow the spring security advisories ( https://spring.io/security ). None of the recent vulnerabilities are related to ShinyProxy. If you have a specific CVE I can provide an explanation.
Nevertheless, we are working on a new release of ShinyProxy that will update all dependencies.
I'm just trying rshinyproxy for first time. I use Trivy vulnerability scanner on my docker build pipeline. these are the CVEs
Java (jar)
==========
Total: 12 (HIGH: 11, CRITICAL: 1)
┌─────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.nimbusds:nimbus-jose-jwt (shinyproxy.jar) │ CVE-2023-52428 │ HIGH │ fixed │ 9.24.4 │ 9.37.2 │ nimbus-jose-jwt: large JWE p2c header value causes Denial of │
│ │ │ │ │ │ │ Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52428 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ commons-io:commons-io (shinyproxy.jar) │ CVE-2024-47554 │ │ │ 2.8.0 │ 2.14.0 │ apache-commons-io: Possible denial of service attack on │
│ │ │ │ │ │ │ untrusted input to XmlStreamReader │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-47 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.netty:netty-handler (shinyproxy.jar) │ CVE-2025-24970 │ │ │ 4.1.110.Final │ 4.1.118.Final │ io.netty:netty-handler: SslHandler doesn't correctly │
│ │ │ │ │ │ │ validate packets which can lead to native crash... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-24970 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core (shinyproxy.jar) │ CVE-2024-5971 │ │ │ 2.3.13.Final │ 2.3.15.Final, 2.2.34.Final │ undertow: response write hangs in case of Java 17 TLSv1.3 │
│ │ │ │ │ │ │ NewSessionTicket │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-5971 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-6162 │ │ │ │ 2.3.14.Final, 2.2.33.Final │ undertow: url-encoded request path information can be broken │
│ │ │ │ │ │ │ on ajp-listener │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6162 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-7885 │ │ │ │ 2.2.36.Final, 2.3.17.Final │ undertow: Improper State Management in Proxy Protocol │
│ │ │ │ │ │ │ parsing causes information leakage │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-7885 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ net.minidev:json-smart (shinyproxy.jar) │ CVE-2024-57699 │ │ │ 2.5.1 │ 2.5.2 │ json-smart: Potential DoS via stack exhaustion (incomplete │
│ │ │ │ │ │ │ fix for CVE-2023-1370) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-57699 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.xnio:xnio-api (shinyproxy.jar) │ CVE-2023-5685 │ │ │ 3.8.8.Final │ 3.8.14.Final │ xnio: StackOverflowException when the chain of notifier │
│ │ │ │ │ │ │ states becomes problematically big │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5685 │
├─────────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-crypto │ CVE-2025-22228 │ │ │ 6.2.4 │ 6.3.8, 6.4.4, 6.2.10, 6.1.14, 6.0.16, 5.8.18, 5.7.16 │ spring-security-core: Spring Security BCryptPasswordEncoder │
│ (shinyproxy.jar) │ │ │ │ │ │ does not enforce maximum password length │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22228 │
├─────────────────────────────────────────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-web │ CVE-2024-38821 │ CRITICAL │ │ │ 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4 │ Spring-WebFlux: Authorization Bypass of Static Resources in │
│ (shinyproxy.jar) │ │ │ │ │ │ WebFlux Applications │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38821 │
├─────────────────────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc (shinyproxy.jar) │ CVE-2024-38816 │ HIGH │ │ 6.1.8 │ 6.1.13 │ spring-webmvc: Path Traversal Vulnerability in Spring │
│ │ │ │ │ │ │ Applications Using RouterFunctions and FileSystemResource │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38816 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-38819 │ │ │ │ 6.1.14 │ org.springframework:spring-webmvc: Path traversal │
│ │ │ │ │ │ │ vulnerability in functional web frameworks │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38819 │
└─────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Most organizations have remediate policy of 10days for Critical and 30 days for High. regardless if it could never happen. I know this open source so have lower expectations. when time permits. the Critical one is 4+ months old.
Hi
We just released ShinyProxy 3.2.0 in which all dependencies are upgraded!
See the blog or release notes
Thank you for the suggestion!