High Severity Vulnerability: CVE-2024-21538 in hydrogen-alpine

[Appstute-Arati]

CVE ID: CVE-2024-21538
Severity: High
Affected Module: hydrogen-alpine
Description: The vulnerability allows an attacker to exploit an insecure configuration or flaw in the container to gain unauthorized access, escalate privileges, or execute arbitrary code remotely.

Recommendations:

1. Upgrade to the latest version of hydrogen-alpine where the issue has been fixed.
2. Patch the vulnerability by updating affected components in the container (e.g., dependencies).

References:

• CVE-2024-21538
• Related advisory or patch from the maintainers, if any.

[fossdd]

There is no hydrogen-alpine package in Alpine Linux. Which package do you mean?

[appstute]

this one - https://github.com/nodejs/docker-node/blob/e3a1285ed07039b9f6552ccec49a469a052fd0c6/18/alpine3.20/Dockerfile

[fossdd]

Thanks, the fix was in the pipeline since yesterday and is now merged and should be available by now on your mirror.

[Appstute-Arati]

Thanks, It is still showing 1 high vulnerability. Could it be taking some time to update? - https://hub.docker.com/layers/library/node/hydrogen-alpine/images/sha256-7000d2e73f938c4f62fdda6d398d7dffd50e6c129409ae2b1a36ccebf9289ffe?context=explore

[Appstute-Arati]

Any update on above?

[fossdd]

The people responsible for the docker image is the NodeJS team, please reach out to them.