Docker-nginx: Security vulnerabilities in nginx:1.19.9

Created on 8 Apr 2021  路  3Comments  路  Source: nginxinc/docker-nginx

There are a few security vulnerabilities in the Debian based image.
These can be solved by updating curl/libcurl4 to the latest version.

Most helpful comment

Thanks to great folk over at docker-library, nginx:1.19.9 now ships with an updated libcurl/curl, so this can be closed:

$ docker run -ti --rm nginx:1.19.9 dpkg -l curl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-=======================================================
ii  curl           7.64.0-4+deb10u2 amd64        command line tool for transferring data with URL syntax

All 3 comments

nginx:1.19.9 (debian 10.9)
==========================
Total: 16 (UNKNOWN: 0, LOW: 4, MEDIUM: 2, HIGH: 10, CRITICAL: 0)

+----------+------------------+----------+-------------------+------------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                 TITLE                 |
+----------+------------------+----------+-------------------+------------------+---------------------------------------+
| curl     | CVE-2020-8169    | HIGH     | 7.64.0-4+deb10u1  | 7.64.0-4+deb10u2 | libcurl: partial password             |
|          |                  |          |                   |                  | leak over DNS on HTTP redirect        |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8169  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8177    |          |                   |                  | curl: Incorrect argument              |
|          |                  |          |                   |                  | check can allow remote servers        |
|          |                  |          |                   |                  | to overwrite local files...           |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8177  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8231    |          |                   |                  | curl: Expired pointer                 |
|          |                  |          |                   |                  | dereference via multi API with        |
|          |                  |          |                   |                  | `CURLOPT_CONNECT_ONLY` option set     |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8231  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8285    |          |                   |                  | curl: malicious FTP server can        |
|          |                  |          |                   |                  | trigger stack overflow when           |
|          |                  |          |                   |                  | CURLOPT_CHUNK_BGN_FUNCTION            |
|          |                  |          |                   |                  | is used...                            |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8285  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8286    |          |                   |                  | curl: inferior OCSP verification      |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8286  |
+          +------------------+----------+                   +                  +---------------------------------------+
|          | CVE-2021-22876   | MEDIUM   |                   |                  | curl: Leak of authentication          |
|          |                  |          |                   |                  | credentials in URL                    |
|          |                  |          |                   |                  | via automatic Referer                 |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-22876 |
+          +------------------+----------+                   +                  +---------------------------------------+
|          | CVE-2020-8284    | LOW      |                   |                  | curl: dangerous nature                |
|          |                  |          |                   |                  | of PASV command could                 |
|          |                  |          |                   |                  | be used to make curl...               |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8284  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2021-22890   |          |                   |                  | curl: TLS 1.3 session ticket          |
|          |                  |          |                   |                  | mix-up with HTTPS proxy host          |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-22890 |
+----------+------------------+----------+                   +                  +---------------------------------------+
| libcurl4 | CVE-2020-8169    | HIGH     |                   |                  | libcurl: partial password             |
|          |                  |          |                   |                  | leak over DNS on HTTP redirect        |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8169  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8177    |          |                   |                  | curl: Incorrect argument              |
|          |                  |          |                   |                  | check can allow remote servers        |
|          |                  |          |                   |                  | to overwrite local files...           |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8177  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8231    |          |                   |                  | curl: Expired pointer                 |
|          |                  |          |                   |                  | dereference via multi API with        |
|          |                  |          |                   |                  | `CURLOPT_CONNECT_ONLY` option set     |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8231  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8285    |          |                   |                  | curl: malicious FTP server can        |
|          |                  |          |                   |                  | trigger stack overflow when           |
|          |                  |          |                   |                  | CURLOPT_CHUNK_BGN_FUNCTION            |
|          |                  |          |                   |                  | is used...                            |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8285  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2020-8286    |          |                   |                  | curl: inferior OCSP verification      |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8286  |
+          +------------------+----------+                   +                  +---------------------------------------+
|          | CVE-2021-22876   | MEDIUM   |                   |                  | curl: Leak of authentication          |
|          |                  |          |                   |                  | credentials in URL                    |
|          |                  |          |                   |                  | via automatic Referer                 |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-22876 |
+          +------------------+----------+                   +                  +---------------------------------------+
|          | CVE-2020-8284    | LOW      |                   |                  | curl: dangerous nature                |
|          |                  |          |                   |                  | of PASV command could                 |
|          |                  |          |                   |                  | be used to make curl...               |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8284  |
+          +------------------+          +                   +                  +---------------------------------------+
|          | CVE-2021-22890   |          |                   |                  | curl: TLS 1.3 session ticket          |
|          |                  |          |                   |                  | mix-up with HTTPS proxy host          |
|          |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-22890 |
+----------+------------------+----------+-------------------+------------------+---------------------------------------+

Thanks for the report @lucacome !

We don't have much control over the rebuilds at docker hub so I'm not sure about the timeline it can get fixed for 1.19.9.

However we're planning to release nginx 1.19.10 next Tuesday, so hopefully 1.19.10-based images will arrive around Wednesday 13th and they will have a fixed curl version installed.

Thanks to great folk over at docker-library, nginx:1.19.9 now ships with an updated libcurl/curl, so this can be closed:

$ docker run -ti --rm nginx:1.19.9 dpkg -l curl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-=======================================================
ii  curl           7.64.0-4+deb10u2 amd64        command line tool for transferring data with URL syntax
Was this page helpful?
0 / 5 - 0 ratings