Node-red image v3.1.6 has vulnerabilities (jQuery and jQuery UI)

[OlgasAcc]

The latest version includes dependencies of insecure versions:
jQuery current v3.4.1:
NVD URL :
https://nvd.nist.gov/vuln/detail/CVE-2020-11023,
https://nvd.nist.gov/vuln/detail/CVE-2020-23064,
https://nvd.nist.gov/vuln/detail/CVE-2020-11022
Fix Version : 3.5.0

jQuery UI current - v1.12.1:
NVD URL :
https://nvd.nist.gov/vuln/detail/CVE-2021-41182,
https://nvd.nist.gov/vuln/detail/CVE-2022-31160,
https://nvd.nist.gov/vuln/detail/CVE-2021-41184,
https://nvd.nist.gov/vuln/detail/CVE-2021-41183,
https://nvd.nist.gov/vuln/detail/CVE-2021-41182
Fix Version : 1.13.0

Please upgrade if possible.

[hardillb]

@dceejay can you transfer this to the node-red/node-red project where it belongs please

[knolleary]

@OlgasAcc Node-RED 3.1.x already includes jQuery 3.5.1 and jQuery UI 1.13.2

What leads you to think the older versions are included? You originally raised this issue in the docker repo - were you maybe running an older version? Looking at the history, I think 3.0 contained the vulnerable versions at one point.

[OlgasAcc]

@knolleary I've checked it this way:

• pull/build the Node-Red image locally: node-red:3.1.6-18-minimal (AFAIK the latest version)
• run docker container
• run docker exec
• check the JQuery js and JQuery UI versions:

These paths were mentioned by our Aqua Security scanner that detected the vulnerabilities.

[dceejay]

I think gridstack is part of the dashboard v1 node not the core of node-red.
But when I look at that - even that can pull in jQuery 3* so it should pull in 3.7 though indeed that is is in the dist package - so I don't think it is actually using it - so you can delete both of those jQuery files in that dist directory.

Maybe time to move to dashboard v2 ?

[knolleary]

I have just pulled nodered/node-red:3.1.6-18-minimal and examined the contents.

It does not contain /usr/src/node-red/node_modules/gridstack

As @dceejay says, this is likely because you have installed node-red-dashboard which includes gridstack.

[hardillb]

gridstack is not in the minimal container

[hardillb@razor-crest ~]$ docker pull nodered/node-red:3.1.6-18-minimal 
3.1.6-18-minimal: Pulling from nodered/node-red
4abcf2066143: Pull complete 
e7ced292c644: Pull complete 
b32c0114bba5: Pull complete 
f3748d9674b0: Pull complete 
1ce26d5df68b: Pull complete 
827eec612788: Pull complete 
aa9d689533b2: Pull complete 
4f4fb700ef54: Pull complete 
1171bcaae2d1: Pull complete 
b253f0b66d18: Pull complete 
8162d6d3d3d4: Pull complete 
3008212f1eb4: Pull complete 
65db916bc949: Pull complete 
c2252255935b: Pull complete 
da8dfa626859: Pull complete 
371ec4f12731: Pull complete 
4491820f8bd0: Pull complete 
Digest: sha256:f7d1a7b07aefab45c5600b8ae8319bcba091061b4b209225ed4e4be4761bbb4b
Status: Downloaded newer image for nodered/node-red:3.1.6-18-minimal
docker.io/nodered/node-red:3.1.6-18-minimal
[hardillb@razor-crest ~]$ docker run --rm -it --entrypoint /bin/sh nodered/node-red:3.1.6-18-minimal 
~ $ cd /usr/src/node-red/node_modules/
~/node_modules $ ls grid*
ls: grid*: No such file or directory
~/node_modules $ 

[OlgasAcc]

@knolleary, @dceejay yes, we install node-red-dashboard by running "npm install node-red-dashboard" in the Dockerfile, the current version is 3.6.2 (latest):

So you say the dashboard is not really using the JQuery js and UI versions mentioned in the files, right? But why these files are placed under /dist once the dashboard installed?

[dceejay]

they are included in the gridlock build - so just get dragged in automatically.
I have added a script to remove them in v3.6.3

[OlgasAcc]

@dceejay thanks, I've re-created node-red image using Dockerfile and re-installed node-red-dashboard by running "npm install node-red-dashboard@3.6.3".
The files /usr/src/node-red/node_modules/gridstack/dist/jquery.js
and
/usr/src/node-red/node_modules/gridstack/dist/jquery-ui.js, jquery-ui.min.js are still existing.

[dceejay]

Aargh - yes - deleted on packaging... not at install where it needs to be...

now refixed in v3.6.5

[OlgasAcc]

@dceejay thanks a lot, works good now!