Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Latest Docker image still contains serious security vulnerability #812

Closed
joonas-fi opened this issue Sep 10, 2019 · 4 comments
Closed

Latest Docker image still contains serious security vulnerability #812

joonas-fi opened this issue Sep 10, 2019 · 4 comments

Comments

@joonas-fi
Copy link

@joonas-fi joonas-fi commented Sep 10, 2019

Docker-based distribution is endorsed as a first-class citizen in README.

Docker images haven't been updated in a year. Therefore, all Gun's Docker users have this critical vulnerability: GHSA-886v-mm6p-4m66

This vulnerability is serious and could easily lead to compromise of user's server and/or any related API keys like AWS credentials. The vulnerability allows malicious users to read any files from the filesystem.

What makes this worse is that I'm seeing "docker build: automated", "master" and "latest" terms tossed around in README / DockerHub which could trick some users into thinking the user gets up-to-date software (which is clearly not the case).

Docker-using users have been vulnerable 150+ days since this vulnerability was disclosed to the project maintainer.

Please take your users' security seriously and either update the "latest", "master" DockerHub tags or delete them to protect the users.

image

image

@amark

This comment has been minimized.

Copy link
Owner

@amark amark commented Sep 10, 2019

@joonas-fi thanks.

I don't know how to do any Docker stuff :/ gonna try tagging some people in the community:

@hillct

@mhelander (do you know how? sorry to burden you with so much)

@rm-rf-etc you mentioned docker the other day right?

@joonas-fi what timeline do you suggest it get fixed within, or else I'll need to delete it from the README by?

@amark

This comment has been minimized.

Copy link
Owner

@amark amark commented Sep 10, 2019

yay @rm-rf-etc taking this! You're my hero!!! 🎉 🎉

@amark

This comment has been minimized.

Copy link
Owner

@amark amark commented Sep 10, 2019

@hillct do you have the login for Docker Hub?

@amark

This comment has been minimized.

Copy link
Owner

@amark amark commented Sep 10, 2019

Ok, Docker Hub now says it was updated 3 hours ago, confirmed one of the latest, thanks @hillct @rm-rf-etc ! So this is fixed now. Thanks again @joonas-fi . :)

@amark amark closed this Sep 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.