Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE found in Apache Superset Release 1.3
See original GitHub issueIssue Description
We have been using Apache Superset on Kubernetes. We scan images with Trivy to identify any vulnerabilities in our container images.
In one of our routine Trivy scans against the last released Superset image tag 1.3, we identified a few npm package vulnerabilities. We reached out to ASF security mailing list, but per them - these are dependencies that do not have context as to how they are used in the project and should be treated as a normal bug.
How to reproduce the bug
- Install Trivy:
1) curl -sL -o install.sh "https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh"
2) chmod +x install.sh
3) ./install.sh v0.19.2
- Run trivy against image
1.3
trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0
Expected results
No CVE issues which are HIGH or CRITICAL ideally.
Actual results
We are seeing few CVE issues in package-lock.json file.
Screenshots
If applicable, add screenshots to help explain your problem.
Environment
(please complete the following information):
- browser type and version: N/A
- superset version:
superset version1.3.0 - python version:
python --version3.8.12 - node.js version:
node -v - any feature flags active:
Checklist
Make sure to follow these steps before submitting your issue - thank you!
- I have checked the superset logs for python stacktraces and included it here as text if there are any.
- I have reproduced the issue with at least the latest released version of superset.
- I have checked the issue tracker for the same issue and I haven’t found one similar.
Additional context
Below is the Trivy scan result:
➜ trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0
app/superset-frontend/package-lock.json (npm)
=============================================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 5, CRITICAL: 3)
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| datatables.net | CVE-2021-23445 | MEDIUM | 1.10.24 | 1.11.3 | Cross site scripting |
| | | | | | in datatables.net |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23445 |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| esm | GHSA-qx4v-6gc5-f2vv | | 3.0.84 | 3.1.0 | Regular Expression Denial of Service |
| | | | | | -->github.com/advisories/GHSA-qx4v-6gc5-f2vv |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| highlight.js | GHSA-7wwv-vh3v-89cq | | 10.3.2 | 10.4.1 | ReDOS vulnerabities: multiple grammars |
| | | | | | -->github.com/advisories/GHSA-7wwv-vh3v-89cq |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| immer | CVE-2021-23436 | CRITICAL | 8.0.1 | 9.0.6 | Prototype Pollution in immer |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23436 |
+ +---------------------+ + + +----------------------------------------------+
| | CVE-2021-3757 | | | | nodejs-immer: prototype |
| | | | | | pollution may lead to DoS |
| | | | | | or remote code execution |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3757 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| minimist | CVE-2020-7598 | MEDIUM | 0.0.5 | 1.2.3, 0.2.1 | nodejs-minimist: prototype |
| | | | | | pollution allows adding |
| | | | | | or modifying properties of |
| | | | | | Object.prototype using a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
+ + + +-------------------+ + +
| | | | 0.0.8 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| node-fetch | CVE-2020-15168 | | 1.7.3 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after |
| | | | | | fetch() JS thread leads to DoS |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| nth-check | CVE-2021-3803 | HIGH | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| prismjs | CVE-2021-23341 | | 1.22.0 | 1.23.0 | nodejs-prismjs: Regular |
| | | | | | expression denial of service |
| | | | | | via prism-asciidoc prism-rest |
| | | | | | prism-tap and prism-eiffel... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23341 |
+ +---------------------+----------+ +---------------------+----------------------------------------------+
| | CVE-2021-32723 | MEDIUM | | 1.24.0 | npm-prismjs: a malicious |
| | | | | | (long) string will take a |
| | | | | | long time to highlight... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32723 |
+ +---------------------+ + +---------------------+----------------------------------------------+
| | CVE-2021-3801 | | | 1.25.0 | nodejs-prismjs: ReDoS vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3801 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| trim | CVE-2020-7753 | HIGH | 0.0.1 | 0.0.3 | Regular Expression |
| | | | | | Denial of Service in trim |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7753 |
+----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+
| underscore | CVE-2021-23358 | | 1.12.0 | 1.12.1 | nodejs-underscore: Arbitrary code |
| | | | | | execution via the template function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| urijs | CVE-2021-3647 | MEDIUM | 1.19.6 | 1.19.7 | Hostname spoofing via |
| | | | | | backslashes in URL |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3647 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| zrender | CVE-2021-39227 | CRITICAL | 5.1.1 | 5.2.1 | Prototype Pollution in the |
| | | | | | merge and clone helper methods |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39227 |
+----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
➜
This was generated with the following command:
trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Apache Superset : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine...
1 CVE‑2022‑27479 89 Sql 2022‑04‑13 2022‑04‑21 7.5 None
2 CVE‑2021‑44451 522 +Info...
Read more >[GitHub] [superset] vishalsawale9 commented on issue #17002 ...
[GitHub] [superset] vishalsawale9 commented on issue #17002: CVE found in Apache Superset Release 1.3 · GitBox Mon, 11 Oct 2021 23:28:46 -0700.
Read more >apache-superset@1.3.0 - Snyk Vulnerability Database
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free. Fix for free. Vulnerability ...
Read more >Apache Superset up to 1.3.0 HTTP Request sql injection
A vulnerability classified as critical was found in Apache Superset up to 1.3.0. This vulnerability affects an unknown code block of the ...
Read more >Apache Superset Database Connection insufficiently ... - VulDB
A vulnerability was found in Apache Superset up to 1.3.2 and classified as problematic. This vulnerability is handled as CVE-2021-44451.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Attempting to resolve the
prismjsissue via https://github.com/react-syntax-highlighter/react-syntax-highlighter/pull/430😄 oh okay no worries then, didn’t mean to give you the runaround