CVE-2021-43803 in lts-alpine3.15

[amudh]

Environment

• Platform: Docker
• Docker Version:
• Node.js Version: 16.4.0 (also applicable to 16.13.2)
• Image Tag: lts-alpine3.15 (lts-alpine and more)

Expected Behavior

No CVE-2021-43803 reported on the LTS images

Current Behavior

CVE-2021-43803 is being reported by Prisma Cloud Compute Edition (formerly Twistlock) which uses NVD.

Possible Solution

Not sure

Steps to Reproduce

docker pull lts-alpine3.15

Additional Information

This issue is reported by Twistlock which scans docker images as part of our docker build pipeline. For reference, this is the dockerfile

# Use the official node image
FROM node:lts-alpine3.15
WORKDIR /usr/src/app
USER node
# other contents removed for simplification

I am not clear on why a next.js vulnerability is reported in node.js docker image. I assumed it probably was brought in as part of yarn or npm. I tried to list globally installed packages through yarn global list --depth=4 and npm -g list --depth=4 respectively, and found that next.js is not used. Any pointers appreciated.

Here is the CVE --> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2021-43803

Note: This is my first time, opening a defect. Please point/correct if I have not reported it correctly. I reviewed security policy which mentions about opening issue with nodejs directly. But I am not sure if this is a nodejs issue or the image. Please advise!

[SimenB]

Next.js is not bundled in in the docker image (only node, npm and yarn is), so this is not the place to report this. You need to audit your packages and see where next is coming from.

Or the automated report is just wrong, happens more often than it should 🙁