Security Vulnerabilities

[macmillernz]

The docker image is full of high severity vulnerabilities. I like Zoraxy and where it's headed but it IS NOT safe for the internet.
Is there any plan to fix this?

[tobychui]

You mean the docker base image or the Zoraxy project itself?

[PassiveLemon]

According to Docker Scout, Zoraxy (and/or it's dependencies) introduced these CVEs:
GHSA-m425-mq94-257g
CVE-2023-44487
GMS-2023-3788
CVE-2024-24786

As far as whats recorded for these, they introduce DOS attack vectors. While obviously not desirable, aren't exactly major vulnerability concerns.

There are some more introduced by the Alpine base image but those can be resolved by updating package versions in the image.

@macmillernz What did you use to discover these vulnerabilities?

[macmillernz]

I've used trivy and anchore which both show several critical and high vulnerabilities.
And most recently Snyk, where I scanned zoraxydocker/zoraxy and passivelemon/zoraxy-docker.

[PassiveLemon]

passivelemon/zoraxy-docker is deprecated. That's where I originally published before I became an official maintainer for the Docker image.

[macmillernz]

Good to know. The Unraid template still points to the passivelemon image fyi.

[AzAel76]

The unraid template was published by IBRACORP and hasn't been updated since last year.
I had to modify it to get the 3.xx versions working, I've spoken to those guys before, maybe I can poke them to update the template.