Skip to content

Security scanner flagging jar file for upgrade. #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kramerrs opened this issue Mar 7, 2025 · 3 comments
Open

Security scanner flagging jar file for upgrade. #554

kramerrs opened this issue Mar 7, 2025 · 3 comments
Labels
question

Comments

@kramerrs
Copy link

kramerrs commented Mar 7, 2025

I am pulling the shinyproxy image:

FROM openanalytics/shinyproxy:3.1.1

In a routine security scanning the scanner printed the following about the shinyproxy.jar file. I am not sure what it means. The versions clearly don't align with anything about shinyproxy releases. Is it something in the jar file or about the way it was built?

/opt/docker/overlay2/2941cc1d079118aedff759fc1910234ffb1fe3f70fb236c2df574451eb7d0390/merged/opt/shinyproxy/shinyproxy.jar
Installed version : 6.2.4
Fixed version : 6.2.7
@LEDfan
Copy link
Member

LEDfan commented Mar 21, 2025

Hi, looking at the version number, I expects this flag is about spring framework.
We closely follow the spring security advisories ( https://spring.io/security ). None of the recent vulnerabilities are related to ShinyProxy. If you have a specific CVE I can provide an explanation.

Nevertheless, we are working on a new release of ShinyProxy that will update all dependencies.

@damianslee
Copy link

damianslee commented Apr 4, 2025
edited
Loading

I'm just trying rshinyproxy for first time. I use Trivy vulnerability scanner on my docker build pipeline. these are the CVEs

Java (jar)
==========
Total: 12 (HIGH: 11, CRITICAL: 1)
┌─────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                       Library                       │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                     │                            Title                             │
├─────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.nimbusds:nimbus-jose-jwt (shinyproxy.jar)       │ CVE-2023-52428 │ HIGH     │ fixed  │ 9.24.4            │ 9.37.2                                               │ nimbus-jose-jwt: large JWE p2c header value causes Denial of │
│                                                     │                │          │        │                   │                                                      │ Service                                                      │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2023-52428                   │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ commons-io:commons-io (shinyproxy.jar)              │ CVE-2024-47554 │          │        │ 2.8.0             │ 2.14.0                                               │ apache-commons-io: Possible denial of service attack on      │
│                                                     │                │          │        │                   │                                                      │ untrusted input to XmlStreamReader                           │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-47                      │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.netty:netty-handler (shinyproxy.jar)             │ CVE-2025-24970 │          │        │ 4.1.110.Final     │ 4.1.118.Final                                        │ io.netty:netty-handler: SslHandler doesn't correctly         │
│                                                     │                │          │        │                   │                                                      │ validate packets which can lead to native crash...           │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2025-24970                   │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core (shinyproxy.jar)          │ CVE-2024-5971  │          │        │ 2.3.13.Final      │ 2.3.15.Final, 2.2.34.Final                           │ undertow: response write hangs in case of Java 17 TLSv1.3    │
│                                                     │                │          │        │                   │                                                      │ NewSessionTicket                                             │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-5971                    │
│                                                     ├────────────────┤          │        │                   ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                     │ CVE-2024-6162  │          │        │                   │ 2.3.14.Final, 2.2.33.Final                           │ undertow: url-encoded request path information can be broken │
│                                                     │                │          │        │                   │                                                      │ on ajp-listener                                              │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-6162                    │
│                                                     ├────────────────┤          │        │                   ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                     │ CVE-2024-7885  │          │        │                   │ 2.2.36.Final, 2.3.17.Final                           │ undertow: Improper State Management in Proxy Protocol        │
│                                                     │                │          │        │                   │                                                      │ parsing causes information leakage                           │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-7885                    │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ net.minidev:json-smart (shinyproxy.jar)             │ CVE-2024-57699 │          │        │ 2.5.1             │ 2.5.2                                                │ json-smart: Potential DoS via stack exhaustion (incomplete   │
│                                                     │                │          │        │                   │                                                      │ fix for CVE-2023-1370)                                       │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-57699                   │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.xnio:xnio-api (shinyproxy.jar)            │ CVE-2023-5685  │          │        │ 3.8.8.Final       │ 3.8.14.Final                                         │ xnio: StackOverflowException when the chain of notifier      │
│                                                     │                │          │        │                   │                                                      │ states becomes problematically big                           │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2023-5685                    │
├─────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-crypto │ CVE-2025-22228 │          │        │ 6.2.4             │ 6.3.8, 6.4.4, 6.2.10, 6.1.14, 6.0.16, 5.8.18, 5.7.16 │ spring-security-core: Spring Security BCryptPasswordEncoder  │
│ (shinyproxy.jar)                                    │                │          │        │                   │                                                      │ does not enforce maximum password length                     │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2025-22228                   │
├─────────────────────────────────────────────────────┼────────────────┼──────────┤        │                   ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-web    │ CVE-2024-38821 │ CRITICAL │        │                   │ 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4         │ Spring-WebFlux: Authorization Bypass of Static Resources in  │
│ (shinyproxy.jar)                                    │                │          │        │                   │                                                      │ WebFlux Applications                                         │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-38821                   │
├─────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc (shinyproxy.jar)  │ CVE-2024-38816 │ HIGH     │        │ 6.1.8             │ 6.1.13                                               │ spring-webmvc: Path Traversal Vulnerability in Spring        │
│                                                     │                │          │        │                   │                                                      │ Applications Using RouterFunctions and FileSystemResource    │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-38816                   │
│                                                     ├────────────────┤          │        │                   ├──────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                     │ CVE-2024-38819 │          │        │                   │ 6.1.14                                               │ org.springframework:spring-webmvc: Path traversal            │
│                                                     │                │          │        │                   │                                                      │ vulnerability in functional web frameworks                   │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2024-38819                   │
└─────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

@damianslee
Copy link

Most organizations have remediate policy of 10days for Critical and 30 days for High. regardless if it could never happen.
I know this open source so have lower expectations. when time permits.
the Critical one is 4+ months old.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damianslee @LEDfan @kramerrs