mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains FedRAMP vulnerability on npm dependency - ip v2.0.0 #8750
Labels
bug
Something isn't working
Comments
|
It was backported via PR: #8095 and first introduced in |
|
Fixed |
|
This issue still persists node-ip: Incomplete fix for CVE-2023-42282 │ https://avd.aquasec.com/nvd/cve-2024-29415 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The latest version of mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains Fedramp vulnerability in npm dependencies on package 'ip' version 2.0.0 (CVE-2023-42282).
'ip' fixed the vulnerability with their 2.0.1 release.
npm team handled that here: npm/cli#7216
npm fixed the vulnerability here: npm/cli#7238
npm released the fixes in npm version 10.5.0 and 9.9.3.
mcr.microsoft.com/cbl-mariner/base/nodejs 18 still contains this vulnerability:
~ docker images | grep nodejs
mcr.microsoft.com/cbl-mariner/base/nodejs 18 ce7a4d78cb69 5 days ago 128MB
~ docker run -it ce7a4d78cb69 npm -v
9.8.1
Expected behavior
updated npm package with no Fedramp vulnerabilities.
The text was updated successfully, but these errors were encountered: