borsear/resultui
Region: us-east-1
Scan Summary
Critical vulnerabilities
12Malicious files
1Last scan
1 year, 10 months ago
Type of scan
Prevasio CSPMScan duration
1 minute and 8 secondsImage Details
Image URI
531239714189.dkr.ecr.us-east-2.amazonaws.com/borsear/resultuiImage tags
resulttagDigest
sha256:fec4f927dbdda0490fa8885d9f4d5954803f190366594805f8ecfeec5e1b96c1Created
5 years ago
Compressed size
26.39 MBUncompressed size
73.13 MBOS/architecture
linux/amd64OS distribution
alpine 3.6.2 (reached end of life)Working directory
appENTRYPOINT
—CMD
nodeserver.jsUser
—Ports
80/tcpVolumes
—Environment variables
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NODE_VERSION=8.9.4
YARN_VERSION=1.3.2
PORT=80
Filename | File Size | SHA 256 | Threat Name | Report |
---|---|---|---|---|
/usr/local/lib/node_modules/nodemon/node_modules/flatmap-stream/index.min.js | 1.33 kB | 4949ba537ee2fccb79b99760ee48d10a7a59be51d449c9f4fec4351d16c7f366 | Js.Coinminer.Agent-7049519-0 | VirusTotal |
Overview
Critical
12High
39Medium
19Low
13Informational
0Vulnerabilities (83)
Severity | Name | Package | Version | Fixed in | Description | Package:version |
---|---|---|---|---|---|---|
Critical | CVE-2018-1000620 | cryptiles | 3.1.2 | >=4.1.2 | nodejs-cryptiles: Insecure randomness causes the randomDigits() function returns a pseudo-random data string biased to certain digits | cryptiles:3.1.2 |
Critical | CVE-2018-3750 | deep-extend | 0.4.2 | 0.5.1 | nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties | deep-extend:0.4.2 |
Critical | GHSA-mh6f-8j2x-4483 | event-stream | 3.3.6 | 4.0.0 | Critical severity vulnerability that affects event-stream and flatmap-stream | event-stream:3.3.6 |
Critical | CVE-2018-3739 | https-proxy-agent | 2.1.0 | 2.2.0 | nodejs-https-proxy-agent: Unsanitized options passed to Buffer() allow for denial of service | https-proxy-agent:2.1.0 |
Critical | CVE-2021-3918 | json-schema | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype pollution vulnerability | json-schema:0.2.3 |
Critical | CVE-2019-10744 | lodash | 3.10.1 | 4.17.12 | nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties | lodash:3.10.1 |
Critical | CVE-2021-44906 | minimist | 0.0.8 | 1.2.6 | minimist: prototype pollution | minimist:0.0.8 |
Critical | CVE-2021-44906 | minimist | 1.2.0 | 1.2.6 | minimist: prototype pollution | minimist:1.2.0 |
Critical | CVE-2019-10746 | mixin-deep | 1.3.1 | 2.0.1, 1.3.2 | nodejs-mixin-deep: prototype pollution in function mixin-deep | mixin-deep:1.3.1 |
Critical | CVE-2019-10747 | set-value | 0.4.3 | 3.0.1, 2.0.1 | nodejs-set-value: prototype pollution in function set-value | set-value:0.4.3 |
Critical | CVE-2019-10747 | set-value | 2.0.0 | 3.0.1, 2.0.1 | nodejs-set-value: prototype pollution in function set-value | set-value:2.0.0 |
Critical | CVE-2021-31597 | xmlhttprequest-ssl | 1.5.3 | 1.6.1 | xmlhttprequest-ssl: SSL certificate validation disabled by default | xmlhttprequest-ssl:1.5.3 |
High | CVE-2021-3807 | ansi-regex | 3.0.0 | 3.0.1, 4.1.1, 5.0.1, 6.0.1 | nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes | ansi-regex:3.0.0 |
High | CVE-2020-8116 | dot-prop | 4.2.0 | 5.1.1, 4.2.1 | nodejs-dot-prop: prototype pollution | dot-prop:4.2.0 |
High | CVE-2020-36048 | engine.io | 1.8.5 | 4.0.0 | yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport | engine.io:1.8.5 |
High | CVE-2019-13173 | fstream | 1.0.11 | 1.0.12 | nodejs-fstream: File overwrite in fstream.DirWriter() function | fstream:1.0.11 |
High | CVE-2020-28469 | glob-parent | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular expression denial of service | glob-parent:3.1.0 |
High | CVE-2022-29167 | hawk | 6.0.2 | 9.0.1 | hawk: REDoS in hawk.utils.parseHost() when parsing Host header | hawk:6.0.2 |
High | GHSA-8w57-jfpm-945m | http-proxy-agent | 2.0.0 | 2.1.0 | Denial of Service in http-proxy-agent | http-proxy-agent:2.0.0 |
High | NSWG-ECO-402 | http-proxy-agent | 2.0.0 | >=2.1.0 | Denial of Service | http-proxy-agent:2.0.0 |
High | NSWG-ECO-388 | https-proxy-agent | 2.1.0 | >=2.2.0 | Denial of Service | https-proxy-agent:2.1.0 |
High | CVE-2020-7788 | ini | 1.3.4 | 1.3.6 | nodejs-ini: Prototype pollution via malicious INI file | ini:1.3.4 |
High | CVE-2020-7788 | ini | 1.3.5 | 1.3.6 | nodejs-ini: Prototype pollution via malicious INI file | ini:1.3.5 |
High | CVE-2019-20149 | kind-of | 6.0.2 | 6.0.3 | nodejs-kind-of: ctorName in index.js allows external user input to overwrite certain internal attributes | kind-of:6.0.2 |
High | CVE-2018-16487 | lodash | 3.10.1 | >=4.17.11 | lodash: Prototype pollution in utilities function | lodash:3.10.1 |
High | CVE-2020-8203 | lodash | 3.10.1 | 4.17.20 | nodejs-lodash: prototype pollution in zipObjectDeep function | lodash:3.10.1 |
High | CVE-2021-23337 | lodash | 3.10.1 | 4.17.21 | nodejs-lodash: command injection via template | lodash:3.10.1 |
High | CVE-2019-16775 | npm | 5.6.0 | 6.13.3 | npm: Symlink reference outside of node_modules folder through the bin field upon installation | npm:5.6.0 |
High | CVE-2020-7754 | npm-user-validate | 1.0.0 | 1.0.1 | nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS | npm-user-validate:1.0.0 |
High | CVE-2021-23440 | set-value | 0.4.3 | 2.0.1, 4.0.1 | nodejs-set-value: type confusion allows bypass of CVE-2019-10747 | set-value:0.4.3 |
High | CVE-2021-23440 | set-value | 2.0.0 | 2.0.1, 4.0.1 | nodejs-set-value: type confusion allows bypass of CVE-2019-10747 | set-value:2.0.0 |
High | CVE-2020-36049 | socket.io-parser | 2.3.1 | 3.4.1, 3.3.2 | yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used | socket.io-parser:2.3.1 |
High | CVE-2018-3737 | sshpk | 1.13.1 | 1.13.2 | nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js | sshpk:1.13.1 |
High | NSWG-ECO-401 | sshpk | 1.13.1 | >=1.13.2 | Denial of Service | sshpk:1.13.1 |
High | CVE-2018-20834 | tar | 2.2.1 | 4.4.2, 2.2.2 | nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link | tar:2.2.1 |
High | CVE-2021-32803 | tar | 2.2.1 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite | tar:2.2.1 |
High | CVE-2021-32804 | tar | 2.2.1 | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite | tar:2.2.1 |
High | CVE-2021-37701 | tar | 2.2.1 | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite | tar:2.2.1 |
High | CVE-2021-37712 | tar | 2.2.1 | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite | tar:2.2.1 |
High | CVE-2021-37713 | tar | 2.2.1 | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization | tar:2.2.1 |
High | CVE-2018-20834 | tar | 4.0.2 | 4.4.2, 2.2.2 | nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link | tar:4.0.2 |
High | CVE-2021-32803 | tar | 4.0.2 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite | tar:4.0.2 |
High | CVE-2021-32804 | tar | 4.0.2 | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite | tar:4.0.2 |
High | CVE-2021-37701 | tar | 4.0.2 | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite | tar:4.0.2 |
High | CVE-2021-37712 | tar | 4.0.2 | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite | tar:4.0.2 |
High | CVE-2021-37713 | tar | 4.0.2 | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization | tar:4.0.2 |
High | CVE-2020-28502 | xmlhttprequest-ssl | 1.5.3 | 1.6.2 | nodejs-xmlhttprequest: Code injection through user input to xhr.send | xmlhttprequest-ssl:1.5.3 |
High | CVE-2020-7774 | y18n | 3.2.1 | 5.0.5, 4.0.1, 3.2.2 | nodejs-y18n: prototype pollution vulnerability | y18n:3.2.1 |
High | CVE-2019-10773 | yarn | 1.3.2 | 1.22.0 | nodejs-yarn: Install functionality can be abused to generate arbitrary symlinks | yarn:1.3.2 |
High | CVE-2019-5448 | yarn | 1.3.2 | 1.17.3 | Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ... | yarn:1.3.2 |
High | CVE-2020-8131 | yarn | 1.3.2 | 1.22.0 | yarn: Arbitrary filesystem write via tar expansion | yarn:1.3.2 |
Medium | CVE-2020-15366 | ajv | 5.2.3 | 6.12.3 | nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function | ajv:5.2.3 |
Medium | CVE-2018-16492 | extend | 3.0.1 | 2.0.2, 3.0.2 | nodejs-extend: Prototype pollution can allow attackers to modify object properties | extend:3.0.1 |
Medium | CVE-2021-23362 | hosted-git-info | 2.5.0 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() | hosted-git-info:2.5.0 |
Medium | CVE-2019-10196 | http-proxy-agent | 2.0.0 | 2.1.0 | nodejs-http-proxy-agent: Denial of Service and data leak due to improper buffer sanitization | http-proxy-agent:2.0.0 |
Medium | GHSA-pc5p-h8pf-mvwp | https-proxy-agent | 2.1.0 | 2.2.3 | Machine-In-The-Middle in https-proxy-agent | https-proxy-agent:2.1.0 |
Medium | NSWG-ECO-505 | https-proxy-agent | 2.1.0 | >=2.2.3 | Man-in-the-Middle | https-proxy-agent:2.1.0 |
Medium | CVE-2019-1010266 | lodash | 3.10.1 | 4.17.11 | lodash: uncontrolled resource consumption in Data handler causing denial of service | lodash:3.10.1 |
Medium | CVE-2020-28500 | lodash | 3.10.1 | 4.17.21 | nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions | lodash:3.10.1 |
Medium | GHSA-4xcv-9jjx-gfj3 | mem | 1.1.0 | 4.0.0 | Denial of Service in mem | mem:1.1.0 |
Medium | CVE-2020-7598 | minimist | 0.0.8 | 1.2.3, 0.2.1 | nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload | minimist:0.0.8 |
Medium | CVE-2020-7598 | minimist | 1.2.0 | 1.2.3, 0.2.1 | nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload | minimist:1.2.0 |
Medium | CVE-2020-28481 | socket.io | 1.7.4 | 2.4.0 | Insecure defaults due to CORS misconfiguration in socket.io | socket.io:1.7.4 |
Medium | CVE-2018-7651 | ssri | 4.1.6 | 5.2.2 | index.js in the ssri module before 5.2.2 for Node.js is prone to a reg ... | ssri:4.1.6 |
Medium | CVE-2018-7651 | ssri | 5.0.0 | 5.2.2 | index.js in the ssri module before 5.2.2 for Node.js is prone to a reg ... | ssri:5.0.0 |
Medium | CVE-2018-21270 | stringstream | 0.0.5 | 0.0.6 | nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure | stringstream:0.0.5 |
Medium | NSWG-ECO-422 | stringstream | 0.0.5 | >=0.0.6 | Out-of-bounds Read | stringstream:0.0.5 |
Medium | CVE-2019-10795 | undefsafe | 2.0.2 | 2.0.3 | Prototype Pollution in undefsafe | undefsafe:2.0.2 |
Medium | CVE-2020-7608 | yargs-parser | 7.0.0 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype pollution vulnerability | yargs-parser:7.0.0 |
Medium | CVE-2019-15608 | yarn | 1.3.2 | 1.19.0 | yarn: TOCTOU vulnerability leads to cache pollution | yarn:1.3.2 |
Low | GHSA-2mj8-pj3j-h362 | bin-links | 1.1.0 | 1.1.5 | Symlink reference outside of node_modules in bin-links | bin-links:1.1.0 |
Low | GHSA-gqf6-75v8-vr26 | bin-links | 1.1.0 | 1.1.5 | Arbitrary File Write in bin-links | bin-links:1.1.0 |
Low | GHSA-v45m-2wcp-gg98 | bin-links | 1.1.0 | 1.1.6 | Global node_modules Binary Overwrite in bin-links | bin-links:1.1.0 |
Low | CVE-2017-18869 | chownr | 1.0.1 | 1.1.0 | nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js | chownr:1.0.1 |
Low | CVE-2017-16137 | debug | 2.2.0 | 3.1.0, 2.6.9 | nodejs-debug: Regular expression Denial of Service | debug:2.2.0 |
Low | CVE-2017-16137 | debug | 2.3.3 | 3.1.0, 2.6.9 | nodejs-debug: Regular expression Denial of Service | debug:2.3.3 |
Low | NSWG-ECO-408 | deep-extend | 0.4.2 | >=0.5.1 | deep-extend prototype pollution | deep-extend:0.4.2 |
Low | CVE-2018-3728 | hoek | 4.2.0 | >=5.0.3 >=4.2.1 | hoek: Prototype pollution in utilities function | hoek:4.2.0 |
Low | CVE-2018-3721 | lodash | 3.10.1 | >=4.17.5 | lodash: Prototype pollution in utilities function | lodash:3.10.1 |
Low | CVE-2019-16776 | npm | 5.6.0 | 6.13.3 | npm: Arbitrary file write via constructed entry in the package.json bin field | npm:5.6.0 |
Low | CVE-2019-16777 | npm | 5.6.0 | 6.13.4 | npm: Global node_modules Binary Overwrite | npm:5.6.0 |
Low | CVE-2020-15095 | npm | 5.6.0 | 6.14.6 | npm: sensitive information exposure through logs | npm:5.6.0 |
Low | GHSA-xgh6-85xh-479p | npm-user-validate | 1.0.0 | 1.0.1 | Regular Expression Denial of Service in npm-user-validate | npm-user-validate:1.0.0 |
Command
ADD file:6edc55fb54ec9fc3658c8f5176a70e792103a516154442f94fed8e0290e4960e in /
Command
CMD ["/bin/sh"]
Command
ENV NODE_VERSION=8.9.4
Command
RUN addgroup -g 1000 node &&
adduser -u 1000 -G node -s /bin/sh -D node &&
apk add --no-cache libstdc++ &&
apk add --no-cache --virtual .build-deps binutils-gold curl g++ gcc gnupg libgcc linux-headers make python &&
for key in 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D C4F0DFFF4E8C1A8236409D08E... &&
curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" &&
curl -SLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" &&
gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc &&
grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - &&
tar -xf "node-v$NODE_VERSION.tar.xz" &&
cd "node-v$NODE_VERSION" &&
./configure &&
make -j$(getconf _NPROCESSORS_ONLN) &&
make install &&
apk del .build-deps &&
cd .. &&
rm -Rf "node-v$NODE_VERSION" &&
rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt
Vulnerable packages, installed in this layer 6 years ago
Command
ENV YARN_VERSION=1.3.2
Command
RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar &&
for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key... &&
curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" &&
curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" &&
gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz &&
mkdir -p /opt/yarn &&
tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/yarn --strip-components=1 &&
ln -s /opt/yarn/bin/yarn /usr/local/bin/yarn &&
ln -s /opt/yarn/bin/yarn /usr/local/bin/yarnpkg &&
rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz &&
apk del .build-deps-yarn
Vulnerable package, installed in this layer 6 years ago
Command
CMD ["node"]
Command
RUN mkdir -p /app
Command
WORKDIR /app
Command
RUN npm install -g nodemon
Vulnerable packages, installed in this layer 5 years ago
Command
RUN npm config set registry https://registry.npmjs.org
Command
COPY file:43e0a041ade3bcdeffbeb035ca3a8a040d2919c9b519dc1add9d227cd412f7f1 in /app/package.json
Command
RUN npm install &&
npm ls &&
npm cache clean --force &&
mv /app/node_modules /node_modules
Vulnerable packages, installed in this layer 5 years ago
Command
COPY dir:622a35577483011dcf0c468e19d3b60481cfbc910e178f641e4314d9f7954f1a in /app
Command
ENV PORT=80
Command
EXPOSE 80
Command
CMD ["node" "server.js"]
Default executable script of the image: app/server.js
var express = require('express'),
async = require('async'),
pg = require("pg"),
path = require("path"),
cookieParser = require('cookie-parser'),
bodyParser = require('body-parser'),
methodOverride = require('method-override'),
app = express(),
server = require('http').Server(app),
io = require('socket.io')(server);
io.set('transports', ['polling']);
var port = process.env.PORT || 4000;
io.sockets.on('connection', function (socket) {
socket.emit('message', { text : 'Welcome!' });
socket.on('subscribe', function (data) {
socket.join(data.channel);
});
});
async.retry(
{times: 1000, interval: 1000},
function(callback) {
pg.connect('postgres://postgres@db/postgres', function(err, client, done) {
if (err) {
console.error("Waiting for db");
}
callback(err, client);
});
},
function(err, client) {
if (err) {
return console.error("Giving up");
}
console.log("Connected to db");
getVotes(client);
}
);
function getVotes(client) {
client.query('SELECT vote, COUNT(id) AS count FROM votes GROUP BY vote', [], function(err, result) {
if (err) {
console.error("Error performing query: " + err);
} else {
var votes = collectVotesFromResult(result);
io.sockets.emit("scores", JSON.stringify(votes));
}
setTimeout(function() {getVotes(client) }, 1000);
});
}
function collectVotesFromResult(result) {
var votes = {a: 0, b: 0};
result.rows.forEach(function (row) {
votes[row.vote] = parseInt(row.count);
});
return votes;
}
app.use(cookieParser());
app.use(bodyParser());
app.use(methodOverride('X-HTTP-Method-Override'));
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
res.header("Access-Control-Allow-Methods", "PUT, GET, POST, DELETE, OPTIONS");
next();
});
app.use(express.static(__dirname + '/views'));
app.get('/', function (req, res) {
res.sendFile(path.resolve(__dirname + '/views/index.html'));
});
server.listen(port, function () {
var port = server.address().port;
console.log('App running on port ' + port);
});
Dynamic Analysis Results
The following graph outlines the most important system events generated by the container:
The container starts a service that renders the following contents over port 80:
The container produces the following text output: