1. Amazon Container Registry
  2. borsear/resultui

borsear/resultui

Region: us-east-1
Scan Summary
Critical vulnerabilities
12
Malicious files
1
Last scan

1 year, 10 months ago
Type of scan
Prevasio CSPM
Scan duration
1 minute and 8 seconds
Image Details
Image URI
531239714189.dkr.ecr.us-east-2.amazonaws.com/borsear/resultui
Image tags
resulttag
Digest
sha256:fec4f927dbdda0490fa8885d9f4d5954803f190366594805f8ecfeec5e1b96c1
Created

5 years ago
Compressed size
26.39 MB
Uncompressed size
73.13 MB
OS/architecture
linux/amd64
OS distribution
alpine 3.6.2 (reached end of life)
Working directory
app
ENTRYPOINT
CMD
nodeserver.js
User
Ports
80/tcp
Volumes
Environment variables
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NODE_VERSION=8.9.4
YARN_VERSION=1.3.2
PORT=80
Filename File Size SHA 256 Threat Name Report
/usr/local/lib/node_modules/nodemon/node_modules/flatmap-stream/index.min.js 1.33 kB 4949ba537ee2fccb79b99760ee48d10a7a59be51d449c9f4fec4351d16c7f366 Js.Coinminer.Agent-7049519-0 VirusTotal
Overview
Critical
12
High
39
Medium
19
Low
13
Informational
0
Vulnerabilities (83)
Severity Name Package VersionFixed inDescription Package:version
Critical CVE-2018-1000620 cryptiles 3.1.2>=4.1.2nodejs-cryptiles: Insecure randomness causes the randomDigits() function returns a pseudo-random data string biased to certain digits cryptiles:3.1.2
Critical CVE-2018-3750 deep-extend 0.4.20.5.1nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties deep-extend:0.4.2
Critical GHSA-mh6f-8j2x-4483 event-stream 3.3.64.0.0Critical severity vulnerability that affects event-stream and flatmap-stream event-stream:3.3.6
Critical CVE-2018-3739 https-proxy-agent 2.1.02.2.0nodejs-https-proxy-agent: Unsanitized options passed to Buffer() allow for denial of service https-proxy-agent:2.1.0
Critical CVE-2021-3918 json-schema 0.2.30.4.0nodejs-json-schema: Prototype pollution vulnerability json-schema:0.2.3
Critical CVE-2019-10744 lodash 3.10.14.17.12nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties lodash:3.10.1
Critical CVE-2021-44906 minimist 0.0.81.2.6minimist: prototype pollution minimist:0.0.8
Critical CVE-2021-44906 minimist 1.2.01.2.6minimist: prototype pollution minimist:1.2.0
Critical CVE-2019-10746 mixin-deep 1.3.12.0.1, 1.3.2nodejs-mixin-deep: prototype pollution in function mixin-deep mixin-deep:1.3.1
Critical CVE-2019-10747 set-value 0.4.33.0.1, 2.0.1nodejs-set-value: prototype pollution in function set-value set-value:0.4.3
Critical CVE-2019-10747 set-value 2.0.03.0.1, 2.0.1nodejs-set-value: prototype pollution in function set-value set-value:2.0.0
Critical CVE-2021-31597 xmlhttprequest-ssl 1.5.31.6.1xmlhttprequest-ssl: SSL certificate validation disabled by default xmlhttprequest-ssl:1.5.3
High CVE-2021-3807 ansi-regex 3.0.03.0.1, 4.1.1, 5.0.1, 6.0.1nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes ansi-regex:3.0.0
High CVE-2020-8116 dot-prop 4.2.05.1.1, 4.2.1nodejs-dot-prop: prototype pollution dot-prop:4.2.0
High CVE-2020-36048 engine.io 1.8.54.0.0yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport engine.io:1.8.5
High CVE-2019-13173 fstream 1.0.111.0.12nodejs-fstream: File overwrite in fstream.DirWriter() function fstream:1.0.11
High CVE-2020-28469 glob-parent 3.1.05.1.2nodejs-glob-parent: Regular expression denial of service glob-parent:3.1.0
High CVE-2022-29167 hawk 6.0.29.0.1hawk: REDoS in hawk.utils.parseHost() when parsing Host header hawk:6.0.2
High GHSA-8w57-jfpm-945m http-proxy-agent 2.0.02.1.0Denial of Service in http-proxy-agent http-proxy-agent:2.0.0
High NSWG-ECO-402 http-proxy-agent 2.0.0>=2.1.0Denial of Service http-proxy-agent:2.0.0
High NSWG-ECO-388 https-proxy-agent 2.1.0>=2.2.0Denial of Service https-proxy-agent:2.1.0
High CVE-2020-7788 ini 1.3.41.3.6nodejs-ini: Prototype pollution via malicious INI file ini:1.3.4
High CVE-2020-7788 ini 1.3.51.3.6nodejs-ini: Prototype pollution via malicious INI file ini:1.3.5
High CVE-2019-20149 kind-of 6.0.26.0.3nodejs-kind-of: ctorName in index.js allows external user input to overwrite certain internal attributes kind-of:6.0.2
High CVE-2018-16487 lodash 3.10.1>=4.17.11lodash: Prototype pollution in utilities function lodash:3.10.1
High CVE-2020-8203 lodash 3.10.14.17.20nodejs-lodash: prototype pollution in zipObjectDeep function lodash:3.10.1
High CVE-2021-23337 lodash 3.10.14.17.21nodejs-lodash: command injection via template lodash:3.10.1
High CVE-2019-16775 npm 5.6.06.13.3npm: Symlink reference outside of node_modules folder through the bin field upon installation npm:5.6.0
High CVE-2020-7754 npm-user-validate 1.0.01.0.1nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS npm-user-validate:1.0.0
High CVE-2021-23440 set-value 0.4.32.0.1, 4.0.1nodejs-set-value: type confusion allows bypass of CVE-2019-10747 set-value:0.4.3
High CVE-2021-23440 set-value 2.0.02.0.1, 4.0.1nodejs-set-value: type confusion allows bypass of CVE-2019-10747 set-value:2.0.0
High CVE-2020-36049 socket.io-parser 2.3.13.4.1, 3.3.2yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used socket.io-parser:2.3.1
High CVE-2018-3737 sshpk 1.13.11.13.2nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js sshpk:1.13.1
High NSWG-ECO-401 sshpk 1.13.1>=1.13.2Denial of Service sshpk:1.13.1
High CVE-2018-20834 tar 2.2.14.4.2, 2.2.2nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link tar:2.2.1
High CVE-2021-32803 tar 2.2.16.1.2, 5.0.7, 4.4.15, 3.2.3nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite tar:2.2.1
High CVE-2021-32804 tar 2.2.16.1.1, 5.0.6, 4.4.14, 3.2.2nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite tar:2.2.1
High CVE-2021-37701 tar 2.2.16.1.7, 5.0.8, 4.4.16nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite tar:2.2.1
High CVE-2021-37712 tar 2.2.16.1.9, 5.0.10, 4.4.18nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite tar:2.2.1
High CVE-2021-37713 tar 2.2.16.1.9, 5.0.10, 4.4.18nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization tar:2.2.1
High CVE-2018-20834 tar 4.0.24.4.2, 2.2.2nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link tar:4.0.2
High CVE-2021-32803 tar 4.0.26.1.2, 5.0.7, 4.4.15, 3.2.3nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite tar:4.0.2
High CVE-2021-32804 tar 4.0.26.1.1, 5.0.6, 4.4.14, 3.2.2nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite tar:4.0.2
High CVE-2021-37701 tar 4.0.26.1.7, 5.0.8, 4.4.16nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite tar:4.0.2
High CVE-2021-37712 tar 4.0.26.1.9, 5.0.10, 4.4.18nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite tar:4.0.2
High CVE-2021-37713 tar 4.0.26.1.9, 5.0.10, 4.4.18nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization tar:4.0.2
High CVE-2020-28502 xmlhttprequest-ssl 1.5.31.6.2nodejs-xmlhttprequest: Code injection through user input to xhr.send xmlhttprequest-ssl:1.5.3
High CVE-2020-7774 y18n 3.2.15.0.5, 4.0.1, 3.2.2nodejs-y18n: prototype pollution vulnerability y18n:3.2.1
High CVE-2019-10773 yarn 1.3.21.22.0nodejs-yarn: Install functionality can be abused to generate arbitrary symlinks yarn:1.3.2
High CVE-2019-5448 yarn 1.3.21.17.3Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ... yarn:1.3.2
High CVE-2020-8131 yarn 1.3.21.22.0yarn: Arbitrary filesystem write via tar expansion yarn:1.3.2
Medium CVE-2020-15366 ajv 5.2.36.12.3nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function ajv:5.2.3
Medium CVE-2018-16492 extend 3.0.12.0.2, 3.0.2nodejs-extend: Prototype pollution can allow attackers to modify object properties extend:3.0.1
Medium CVE-2021-23362 hosted-git-info 2.5.02.8.9, 3.0.8nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() hosted-git-info:2.5.0
Medium CVE-2019-10196 http-proxy-agent 2.0.02.1.0nodejs-http-proxy-agent: Denial of Service and data leak due to improper buffer sanitization http-proxy-agent:2.0.0
Medium GHSA-pc5p-h8pf-mvwp https-proxy-agent 2.1.02.2.3Machine-In-The-Middle in https-proxy-agent https-proxy-agent:2.1.0
Medium NSWG-ECO-505 https-proxy-agent 2.1.0>=2.2.3Man-in-the-Middle https-proxy-agent:2.1.0
Medium CVE-2019-1010266 lodash 3.10.14.17.11lodash: uncontrolled resource consumption in Data handler causing denial of service lodash:3.10.1
Medium CVE-2020-28500 lodash 3.10.14.17.21nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions lodash:3.10.1
Medium GHSA-4xcv-9jjx-gfj3 mem 1.1.04.0.0Denial of Service in mem mem:1.1.0
Medium CVE-2020-7598 minimist 0.0.81.2.3, 0.2.1nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload minimist:0.0.8
Medium CVE-2020-7598 minimist 1.2.01.2.3, 0.2.1nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload minimist:1.2.0
Medium CVE-2020-28481 socket.io 1.7.42.4.0Insecure defaults due to CORS misconfiguration in socket.io socket.io:1.7.4
Medium CVE-2018-7651 ssri 4.1.65.2.2index.js in the ssri module before 5.2.2 for Node.js is prone to a reg ... ssri:4.1.6
Medium CVE-2018-7651 ssri 5.0.05.2.2index.js in the ssri module before 5.2.2 for Node.js is prone to a reg ... ssri:5.0.0
Medium CVE-2018-21270 stringstream 0.0.50.0.6nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure stringstream:0.0.5
Medium NSWG-ECO-422 stringstream 0.0.5>=0.0.6Out-of-bounds Read stringstream:0.0.5
Medium CVE-2019-10795 undefsafe 2.0.22.0.3Prototype Pollution in undefsafe undefsafe:2.0.2
Medium CVE-2020-7608 yargs-parser 7.0.05.0.1, 13.1.2, 18.1.2, 15.0.1nodejs-yargs-parser: prototype pollution vulnerability yargs-parser:7.0.0
Medium CVE-2019-15608 yarn 1.3.21.19.0yarn: TOCTOU vulnerability leads to cache pollution yarn:1.3.2
Low GHSA-2mj8-pj3j-h362 bin-links 1.1.01.1.5Symlink reference outside of node_modules in bin-links bin-links:1.1.0
Low GHSA-gqf6-75v8-vr26 bin-links 1.1.01.1.5Arbitrary File Write in bin-links bin-links:1.1.0
Low GHSA-v45m-2wcp-gg98 bin-links 1.1.01.1.6Global node_modules Binary Overwrite in bin-links bin-links:1.1.0
Low CVE-2017-18869 chownr 1.0.11.1.0nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js chownr:1.0.1
Low CVE-2017-16137 debug 2.2.03.1.0, 2.6.9nodejs-debug: Regular expression Denial of Service debug:2.2.0
Low CVE-2017-16137 debug 2.3.33.1.0, 2.6.9nodejs-debug: Regular expression Denial of Service debug:2.3.3
Low NSWG-ECO-408 deep-extend 0.4.2>=0.5.1deep-extend prototype pollution deep-extend:0.4.2
Low CVE-2018-3728 hoek 4.2.0>=5.0.3 >=4.2.1hoek: Prototype pollution in utilities function hoek:4.2.0
Low CVE-2018-3721 lodash 3.10.1>=4.17.5lodash: Prototype pollution in utilities function lodash:3.10.1
Low CVE-2019-16776 npm 5.6.06.13.3npm: Arbitrary file write via constructed entry in the package.json bin field npm:5.6.0
Low CVE-2019-16777 npm 5.6.06.13.4npm: Global node_modules Binary Overwrite npm:5.6.0
Low CVE-2020-15095 npm 5.6.06.14.6npm: sensitive information exposure through logs npm:5.6.0
Low GHSA-xgh6-85xh-479p npm-user-validate 1.0.01.0.1Regular Expression Denial of Service in npm-user-validate npm-user-validate:1.0.0

Command

ADD file:6edc55fb54ec9fc3658c8f5176a70e792103a516154442f94fed8e0290e4960e in /

Command

CMD ["/bin/sh"]

Command

ENV NODE_VERSION=8.9.4

Command

RUN addgroup -g 1000 node &&
    adduser -u 1000 -G node -s /bin/sh -D node &&
    apk add --no-cache libstdc++ &&
    apk add --no-cache --virtual .build-deps binutils-gold curl g++ gcc gnupg libgcc linux-headers make python &&
    for key in 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D C4F0DFFF4E8C1A8236409D08E... &&
    curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" &&
    curl -SLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" &&
    gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc &&
    grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - &&
    tar -xf "node-v$NODE_VERSION.tar.xz" &&
    cd "node-v$NODE_VERSION" &&
    ./configure &&
    make -j$(getconf _NPROCESSORS_ONLN) &&
    make install &&
    apk del .build-deps &&
    cd .. &&
    rm -Rf "node-v$NODE_VERSION" &&
    rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt
Vulnerable packages, installed in this layer 6 years ago
cryptiles 3.1.2 deep-extend 0.4.2 https-proxy-agent 2.1.0 json-schema 0.2.3 lodash 3.10.1 minimist 0.0.8 minimist 1.2.0 ansi-regex 3.0.0 dot-prop 4.2.0 fstream 1.0.11 hawk 6.0.2 http-proxy-agent 2.0.0 ini 1.3.4 npm 5.6.0 npm-user-validate 1.0.0 sshpk 1.13.1 tar 2.2.1 tar 4.0.2 y18n 3.2.1 ajv 5.2.3

Command

ENV YARN_VERSION=1.3.2

Command

RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar &&
    for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key... &&
    curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" &&
    curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" &&
    gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz &&
    mkdir -p /opt/yarn &&
    tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/yarn --strip-components=1 &&
    ln -s /opt/yarn/bin/yarn /usr/local/bin/yarn &&
    ln -s /opt/yarn/bin/yarn /usr/local/bin/yarnpkg &&
    rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz &&
    apk del .build-deps-yarn
Vulnerable package, installed in this layer 6 years ago
yarn 1.3.2

Command

CMD ["node"]

Command

RUN mkdir -p /app

Command

WORKDIR /app

Command

RUN npm install -g nodemon
Vulnerable packages, installed in this layer 5 years ago
event-stream 3.3.6 mixin-deep 1.3.1 set-value 0.4.3 set-value 2.0.0 glob-parent 3.1.0 ini 1.3.5 kind-of 6.0.2 undefsafe 2.0.2

Command

RUN npm config set registry https://registry.npmjs.org

Command

COPY file:43e0a041ade3bcdeffbeb035ca3a8a040d2919c9b519dc1add9d227cd412f7f1 in /app/package.json

Command

RUN npm install &&
    npm ls &&
    npm cache clean --force &&
    mv /app/node_modules /node_modules
Vulnerable packages, installed in this layer 5 years ago
xmlhttprequest-ssl 1.5.3 engine.io 1.8.5 socket.io-parser 2.3.1 socket.io 1.7.4 debug 2.2.0 debug 2.3.3

Command

COPY dir:622a35577483011dcf0c468e19d3b60481cfbc910e178f641e4314d9f7954f1a in /app

Command

ENV PORT=80

Command

EXPOSE 80

Command

CMD ["node" "server.js"]
Default executable script of the image: app/server.js

var express = require('express'),
    async = require('async'),
    pg = require("pg"),
    path = require("path"),
    cookieParser = require('cookie-parser'),
    bodyParser = require('body-parser'),
    methodOverride = require('method-override'),
    app = express(),
    server = require('http').Server(app),
    io = require('socket.io')(server);
io.set('transports', ['polling']);
var port = process.env.PORT || 4000;
io.sockets.on('connection', function (socket) {
  socket.emit('message', { text : 'Welcome!' });
  socket.on('subscribe', function (data) {
    socket.join(data.channel);
  });
});
async.retry(
  {times: 1000, interval: 1000},
  function(callback) {
    pg.connect('postgres://postgres@db/postgres', function(err, client, done) {
      if (err) {
        console.error("Waiting for db");
      }
      callback(err, client);
    });
  },
  function(err, client) {
    if (err) {
      return console.error("Giving up");
    }
    console.log("Connected to db");
    getVotes(client);
  }
);
function getVotes(client) {
  client.query('SELECT vote, COUNT(id) AS count FROM votes GROUP BY vote', [], function(err, result) {
    if (err) {
      console.error("Error performing query: " + err);
    } else {
      var votes = collectVotesFromResult(result);
      io.sockets.emit("scores", JSON.stringify(votes));
    }
    setTimeout(function() {getVotes(client) }, 1000);
  });
}
function collectVotesFromResult(result) {
  var votes = {a: 0, b: 0};
  result.rows.forEach(function (row) {
    votes[row.vote] = parseInt(row.count);
  });
  return votes;
}
app.use(cookieParser());
app.use(bodyParser());
app.use(methodOverride('X-HTTP-Method-Override'));
app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  res.header("Access-Control-Allow-Methods", "PUT, GET, POST, DELETE, OPTIONS");
  next();
});
app.use(express.static(__dirname + '/views'));
app.get('/', function (req, res) {
  res.sendFile(path.resolve(__dirname + '/views/index.html'));
});
server.listen(port, function () {
  var port = server.address().port;
  console.log('App running on port ' + port);
});
Dynamic Analysis Results
The following graph outlines the most important system events generated by the container:
The container starts a service that renders the following contents over port 80:
The container produces the following text output:
user@host: ~