Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Latest Docker image still contains serious security vulnerability #812
Docker-based distribution is endorsed as a first-class citizen in README.
Docker images haven't been updated in a year. Therefore, all Gun's Docker users have this critical vulnerability: GHSA-886v-mm6p-4m66
This vulnerability is serious and could easily lead to compromise of user's server and/or any related API keys like AWS credentials. The vulnerability allows malicious users to read any files from the filesystem.
What makes this worse is that I'm seeing "docker build: automated", "master" and "latest" terms tossed around in README / DockerHub which could trick some users into thinking the user gets up-to-date software (which is clearly not the case).
Docker-using users have been vulnerable 150+ days since this vulnerability was disclosed to the project maintainer.
Please take your users' security seriously and either update the "latest", "master" DockerHub tags or delete them to protect the users.
I don't know how to do any Docker stuff :/ gonna try tagging some people in the community:
@mhelander (do you know how? sorry to burden you with so much)
@rm-rf-etc you mentioned docker the other day right?
@joonas-fi what timeline do you suggest it get fixed within, or else I'll need to delete it from the README by?