Assessment of vulnerabilities in latest ShinyProxy docker image (v3.1.0)

Docker scout finds 45 vulnerabilities in the latest shinyproxy (v3.1.0) docker image. Examples are shown at the bottom of my post.

My questions are:

• Are these vulnerabilities exploitable when using the image only for running ShinyProxy?
  • If not: Do you have tips on how I can improve my own assessment of these vulnerabilities in the future?
• Is it possible to solve these myself by building shinyproxy from source within my own docker image, and updating the system dependencies during the process? Or would you not advise to do that in a production environment?

Many thanks in advance!

Critical vulnerability:

• https://scout.docker.com/vCVE-2024-1597

High risk vulnerabilities

• https://scout.docker.com/v/CVE-2024-22259
• https://scout.docker.com/v/CVE-2024-22243
• https://scout.docker.com/v/CVE-2024-22262
• https://scout.docker.com/v/CVE-2024-22257
• https://scout.docker.com/v/CVE-2024-22234
• https://scout.docker.com/v/CVE-2023-5379
• https://scout.docker.com/v/CVE-2023-5685

Hi

All these CVEs are related to Java, so simply re-building the Docker image will not fix it.
When we release a new version of ShinyProxy, we always make sure to update the Java dependencies. The last release was only a month ago and unfortunately there are already many new CVEs found in the libraries we use. We will soon release a bug fix release in which we will update the dependencies again. Note that we monitor for critical vulnerabilities in the libraries we use, and when needed release a new version of ShinyProxy (e.g. https://shinyproxy.io/downloads/#261 and https://github.com/openanalytics/shinyproxy-operator/releases/tag/v1.0.1 )

I checked the CVEs you listed and I don’t believe there is an immediate risk to ShinyProxy. You can find more info below:

CVE-2024-1597

ShinyProxy is not impacted since we don’t specify preferQueryMode=simple.

CVE-2024-22259 , CVE-2024-22243 , CVE-2024-22262 ,

These are related. In principle ShinyProxy is affected, but I don’t think we use this code path, will be fixed in the next release.

CVE-2024-22257 , CVE-2024-22234

In principle ShinyProxy is affected, but I don’t think we use this code path, will be fixed in the next release.

CVE-2023-5379

Not sure if ShinyProxy is affected since it seems to be only exploitable when using JBoss. Will be fixed in the next release anyway.

CVE-2023-5685

This does not seem exploitable in ShinyProxy. Will be fixed in the next release anyway.