critical vulnerability "CVE-2020-8116" in all node images #1301
Labels
Comments
|
We don't update npm separately, we just include the one shipping with node. So npm needs to update, then be updated in the node repo |
|
For reference |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A critical vulnerability lies in all docker node images. The vulnerability in question is with the
dot-prop@4.2.0package.This vulnerability was resolved in version 5.2.0 of dot-prop, but all node images are using the older version.
I've attached the complete vulnerability scan done for the node-14.5.0-buster-slim image. This scan was performed using anchore
{ "feed": "nvdv2", "feed_group": "nvdv2:cves", "fix": "None", "nvd_data": [ { "cvss_v2": { "base_score": 7.5, "exploitability_score": 10.0, "impact_score": 6.4 }, "cvss_v3": { "base_score": 9.8, "exploitability_score": 3.9, "impact_score": 5.9 }, "id": "CVE-2020-8116" } ], "package": "dot-prop-4.2.0", "package_cpe": "cpe:/a:-:dot-prop:4.2.0:-:~~~node.js~~", "package_cpe23": "cpe:2.3:a:-:dot-prop:4.2.0:-:-:-:-:-:-:~~~node.js~~", "package_name": "dot-prop", "package_path": "/usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json", "package_type": "npm", "package_version": "4.2.0", "severity": "Critical", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116", "vendor_data": [], "vuln": "CVE-2020-8116" }node_14.5.0-buster-slim-vuln.txt
The text was updated successfully, but these errors were encountered: