Vulnerabilities Without a CVE Not Impacting Pipelines

JFrog Release Information
ft:sourceType
Paligo

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

Description

Severity

Pipelines Fix Version

Reason

Eliminating the security risk of container escape to a node that can lead to cluster takeover and expose attackers to sensitive data.

Medium

1.55

Restricted the container not to run as a privileged container.

Preventing remove-markdown RedDos

Medium

1.23.2

RedDos vulnerable code will run with a timeout.

Prototype pollution flaw in clean-css 4.2.4

High

1.20.2

Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function.

Prototype pollution flaw in node-forge 0.10.0

Critical

N/A

Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.