Alpine: multiple miniflux packages: security update to 2.0.43-r0

high Tenable Self-Hosted Container Security Plugin ID 405587

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus
metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is
enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in
Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a
trusted reverse-proxy. (CVE-2023-27591)

- Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to
prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the
`html.ServerError` is returned unescaped without the expected Content Security Policy header added to
valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a
`srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the
proxy handler into an error condition where the invalid URL is returned unescaped and in full. This
results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. by a
message in the alt text) to open the broken image. An attacker can execute arbitrary JavaScript in the
context of a victim Miniflux user when they open a broken image in a crafted RSS feed. This can be used to
perform actions on the Miniflux instance as that user and gain administrative access to the Miniflux
instance if it is reachable and the victim is an administrator. A patch is available in version 2.0.43. As
a workaround sisable image proxy; default value is `http-only`. (CVE-2023-27592)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-27591

https://security.alpinelinux.org/vuln/CVE-2023-27592

Plugin Details

Severity: High

ID: 405587

Version: Revision 1.33

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-27591

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/17/2023

Reference Information

CVE: CVE-2023-27591, CVE-2023-27592