Node.js 1.1.9 vulnerability in elastic docker agent image CVE-2023-4228

miksonx · March 18, 2024, 1:03pm

This issue is related to docker image elastic-agent-complete (8.12.1, 8.12.2)

According the CVE-2023-4228 the Node.js 1.1.9 version is vulnerable.

Description

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Base Score: 9.8 CRITICAL

Please remediate the vulnerability and provide latest image without vulnerability.

georgii · March 18, 2024, 1:39pm

Hi @miksonx, thank you for letting us know. Elastic accepts reports / information about security vulnerabilities in Elastic products via security@elastic.co. Could you please send an email to this address? This would kick off the process of addressing this issue.

system · April 15, 2024, 1:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerabilities in docker image elasticsearch/elasticsearch:7.17.8 Elasticsearch docker	6	797	February 15, 2023
Fix for CVE-2021-27568 in 8.1.2 Elastic Cloud on Kubernetes (ECK) docker	2	430	May 3, 2022
CVE-2022-1471 Still Applicable in latest 7.* and 8. *, not listed on Security Issues Page Endpoint Security elastic-stack-security	4	876	October 12, 2023
Docker image vulnerabilies Elasticsearch docker	6	1443	July 4, 2019
Elastic image 8.5.3 Vulnerabilities Elasticsearch docker	2	340	February 27, 2023

Node.js 1.1.9 vulnerability in elastic docker agent image CVE-2023-4228

Description

Related topics