Apply template

XML

Word

Printable

Details

Type: Work Item
Resolution: Done
Priority: Critical
Fix Version/s: 1.50.0
Affects Version/s: None
Component/s: remote-engine-customizer, starter, tsbi
Labels:
- CVE
- changelog
- cve

Epic Link:
Security update
GreenHopper Ranking:
0|i2jsjf:
GreenHopper Ranking (Obsolete):
9223372036854775807

Description

Remote Code Execution in Talend/component-runtime (master)

Issue Details

Vulnerability: Remote Code Execution
Severity: High
Project: Talend/component-runtime
Branch: master
Scan Date: Unknown

Issue Description

com.google.cloud.tools:jib-core is vulnerable to remote code execution. The executables are run without verifying whether the provided docker path is accurate, which allows a remote attacker to upload and execute malicious code via the vulnerable `isDockerInstalled` function.

View more details

We need to keep remote-engine-customizer using jib for the docker layers handling.

component-starter-server will move to TSBI (see linked issues).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screen Shot 2022-09-26 at 11.41.12.png
26/Sep/22 5:41 AM
803 kB
Wei Wang
Screen Shot 2022-09-26 at 11.42.53.png
26/Sep/22 5:43 AM
765 kB
Wei Wang

Issue Links

is related to

TCOMP-2274 Move component-starter-server to TSBI

Done

Activity

People

Assignee:: emmanuel gallois

Reporter:: Wei Wang

Fixed by:: emmanuel gallois, Yueyan Yin

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Due:: 24/Oct/2022

Created:: 26/Sep/22 5:40 AM

Updated:: 17/Oct/22 2:10 PM

Resolved:: 17/Oct/22 2:10 PM