We found that there is security vulnerability for the Dockerfile we are using.
The security vulnerability scan detected following
| CVE-2024-5535 | critical | 0.00 | openssl | 3.0.13-1~deb12u1 | openssl: SSL_select_next_proto buffer overread |
Here is the Dockerfile I am using
FROM node:22.1.0
# Update system packages
RUN apt-get update &&
apt-get upgrade -y &&
apt-get install -y libexpat1 imagemagick git python3.11 sqlite3 libncurses5-dev libncursesw5-dev &&
apt-get remove --purge --auto-remove -y openssh-client:amd64
# Remove vulnerable packages
RUN apt-get remove --purge --auto-remove -y libexpat1 imagemagick git python3.11 sqlite3 wget
# Additional cleanup
RUN apt-get autoremove -y && apt-get clean
# Install npm dependencies and build the application
RUN npm config set registry https://******/artifactory/api/npm/npm-virtual
RUN npm update -g
RUN npm install && npm run build
# Set the entry point
ENTRYPOINT [ "npm" , "run", "start" ]
Please suggest if there is a fix for CVE-2024-5535 for specifically node:22.1.0
I tried changing
apt-get install -y libexpat1 imagemagick git python3.11 sqlite3 libncurses5-dev libncursesw5-dev
to
apt-get install -y libexpat1 imagemagick git python3.11 sqlite3 libncurses5-dev libncursesw5-dev bash ssh curl &&
But it didn’t work
New contributor