Update IP package in Node to 2.0.1 (CVE-2023-42282) #3245
Labels
bug
Something isn't working
Comments
|
It seems that both the action-runner images (v2.314.1 and possibly v2.315.0, if details haven't changed) are still facing the CVE-2023-42282 vulnerability associated with the 'ip' package. The 'ip' package version remains below 2.0.1, making it vulnerable. Could you help us address this issue? |
|
Yes, I too found this issue. Waiting for response |
|
The latest release 2.319.0 still has the issue on node16 has the ip 2.0.0 with the cve |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
The provided Node package (externals/nodeXX) contains the node-ip version
<2.0.1which might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. (https://nvd.nist.gov/vuln/detail/CVE-2023-42282)When action-runner is deployed as ECS task this is reported as a finding/vulnerability
Runner Version and Platform
3.15.0 Linux (probably all other platforms as well)
The text was updated successfully, but these errors were encountered: