Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch:2.16.0 and opensearch-dashboards:2.16.0
Describe the issue:
In lates version of opensearch:2.16.0 & opensearch-dashboard:2.16.0 we found compliance issue and Vulnerabilities due to which scans are failing. Find below report in the log section
Configuration:
Relevant Logs or Screenshots:
opensearch:2.16.0 Compliance Report
±---------±-----------------------------------------------------------------------------±------------------+
| SEVERITY | DESCRIPTION | TRIGGERED FAILURE |
±---------±-----------------------------------------------------------------------------±------------------+
| medium | (CIS_Docker_v1.5.0 - 4.6) Add HEALTHCHECK instruction to the container image | No |
±---------±-----------------------------------------------------------------------------±------------------+
| medium | (CIS_Docker_v1.5.0 - 4.8) Remove setuid and setgid permissions in images | No |
±---------±-----------------------------------------------------------------------------±------------------+
Compliance found for image opensearch:2.16.0: total - 2, critical - 0, high - 0, medium - 2, low - 0
opensearch-dashboard:2.16.0 Vulnerabilities Report
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
| CVE-2024-45296 | high | 7.50 | path-to-regexp | 1.8.0 | fixed in 8.0.0, 6.3.0, 3.3.0,… | 13 days | < 1 hour | path-to-regexp turns path strings into a regular |
| | | | | | 13 days ago | | | expressions. In certain cases, path-to-regexp will |
| | | | | | | | | output a regular expression that can be exploited |
| | | | | | | | | … |
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
| CVE-2024-45801 | high | 7.00 | dompurify | 3.1.2 | fixed in 3.1.3, 2.5.4 | 6 days | < 1 hour | A flaw was found in DOMPurify. This issue may |
| | | | | | 6 days ago | | | allow an attacker to use specially-crafted HTML |
| | | | | | | | | to bypass the depth checking or use Prototype |
| | | | | | | | | Pollution … |
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
| CVE-2024-45801 | high | 7.00 | dompurify | 2.4.7 | fixed in 3.1.3, 2.5.4 | 6 days | < 1 hour | A flaw was found in DOMPurify. This issue may |
| | | | | | 6 days ago | | | allow an attacker to use specially-crafted HTML |
| | | | | | | | | to bypass the depth checking or use Prototype |
| | | | | | | | | Pollution … |
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
| CVE-2024-4067 | medium | 5.30 | micromatch | 4.0.7 | fixed in 4.0.8 | > 4 months | < 1 hour | The NPM package micromatch
prior to 4.0.8 |
| | | | | | 30 days ago | | | is vulnerable to Regular Expression Denial of |
| | | | | | | | | Service (ReDoS). The vulnerability occurs in |
| | | | | | | | | `micromatch.bra… |
±---------------±---------±-----±---------------±--------±---------------------------------±-----------±-----------±---------------------------------------------------+
Vulnerabilities found for image opensearch-dashboards:2.16.0: total - 4, critical - 0, high - 3, medium - 1, low - 0
opensearch-dashboard:2.16.0 Compliance Report
±---------±-----------------------------------------------------------------------------±------------------+
| SEVERITY | DESCRIPTION | TRIGGERED FAILURE |
±---------±-----------------------------------------------------------------------------±------------------+
| high | Private keys stored in image | Yes |
±---------±-----------------------------------------------------------------------------±------------------+
| medium | (CIS_Docker_v1.5.0 - 4.6) Add HEALTHCHECK instruction to the container image | No |
±---------±-----------------------------------------------------------------------------±------------------+
| medium | (CIS_Docker_v1.5.0 - 4.8) Remove setuid and setgid permissions in images | No |
±---------±-----------------------------------------------------------------------------±------------------+
Compliance found for image opensearch-dashboards:2.16.0: total - 3, critical - 0, high - 1, medium - 2, low - 0