trilium icon indicating copy to clipboard operation
trilium copied to clipboard

Published 20 hours ago verified publisher icon zadam

(Bug report) there's some cve in the images

Open andyliuliming opened this issue 2 years ago • 1 comments

Trilium Version

0.51.2

What operating system are you using?

Windows

What is your setup?

Local (no sync)

Operating System Version

N/A

Description

if we use the trivy to scan the image, there're some cve in it.

================== Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

+------------+------------------+----------+-------------------+----------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+----------------------------+---------------------------------------+ | ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 3.0.1, 4.1.1, 5.0.1, 6.0.1 | nodejs-ansi-regex: Regular | | | | | | | expression denial of service | | | | | | | (ReDoS) matching ANSI escape codes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |

  •        +                  +          +-------------------+                            +                                       +

| | | | 5.0.0 | | | | | | | | | | | | | | | | | | | | | | | | +------------+------------------+ +-------------------+----------------------------+---------------------------------------+ | ejs | CVE-2022-29078 | | 3.1.6 | 3.1.7 | ejs: server-side template | | | | | | | injection in outputFunctionName | | | | | | | -->avd.aquasec.com/nvd/cve-2022-29078 | +------------+------------------+----------+-------------------+----------------------------+---------------------------------------+

andyliuliming avatar May 07 '22 15:05 andyliuliming

Hi, neither of these are really relevant to the Trilum's security model.

ejs will be updated to the 3.1.7 in 0.52 though.

zadam avatar May 07 '22 20:05 zadam