From 20da6c6aef1b47eed97b796fc77d80cfa7f5bfca Mon Sep 17 00:00:00 2001 From: subratadeypappu Date: Mon, 15 Sep 2025 17:14:16 +0600 Subject: [PATCH] fix: CVE-2024-38821 (#41221) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description **Before:** The appsmith-ce release image contains CVE-2024-38821 critical vulnerability. Screenshot 2025-09-12 at 1 41 00 PM [cves_report_ce.json](https://github.com/user-attachments/files/22292789/cves_report_ce.json) **After:** The current DP image doesn't contain CVE-2024-38821 after removing pg build from server. Screenshot 2025-09-12 at 1 40 36 PM [cves_41221.txt](https://github.com/user-attachments/files/22292798/cves_41221.txt) Fixes CVE-2024-38821 ## Automation /ok-to-test tags="@tag.Sanity" ### :mag: Cypress test results > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: > Commit: 959d97e926357bfcd1e0aec32a9127be5b8df403 > Cypress dashboard. > Tags: `@tag.Sanity` > Spec: >
Mon, 15 Sep 2025 08:39:53 UTC ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No ## Summary by CodeRabbit * **Chores** * Removed PostgreSQL support from build artifacts; only the MongoDB edition is produced going forward. * Updated Docker validation to require only the MongoDB server jar; error message reflects this change. * Simplified artifact preparation by removing PostgreSQL image extraction and related steps. * Maintains existing exit-on-failure behavior; successful MongoDB paths are unchanged. * No changes to runtime behavior for MongoDB users. --- Dockerfile | 4 ++-- scripts/prepare_server_artifacts.sh | 16 +++++++--------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3686f08599..e369088735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,8 @@ RUN <&2 + if ! [ -f server/mongo/server.jar ]; then + echo "Missing MongoDB server.jar file. Are you using the build script?" >&2 exit 1 fi END diff --git a/scripts/prepare_server_artifacts.sh b/scripts/prepare_server_artifacts.sh index d389508447..d60f906d02 100755 --- a/scripts/prepare_server_artifacts.sh +++ b/scripts/prepare_server_artifacts.sh @@ -9,20 +9,18 @@ if [[ -z "${EDITION-}" ]]; then fi fi -PG_TAG="${PG_TAG-pg}" -echo "Will be copying pg server artifacts from appsmith-$EDITION:$PG_TAG" +echo "Building server artifacts for $EDITION edition (PostgreSQL support removed)" target="deploy/docker/fs/opt/appsmith/server" mkdir -p "$target" rm -rf "$target"/{pg,mongo} +# Build MongoDB server artifacts cp -r "app/server/dist" "$target/mongo" mv "$target/mongo"/server-*.jar "$target/mongo/server.jar" -# Grab PostgreSQL server artifacts from Docker image. -image="appsmith/appsmith-$EDITION:$PG_TAG" -docker run --name xx --detach --entrypoint sleep "$image" infinity -docker cp xx:/opt/appsmith/server/pg "$target/pg" -docker cp xx:/opt/appsmith/info.json "$target/pg/source-info.json" -docker rm --force xx -docker image rm "$image" \ No newline at end of file +# PostgreSQL support has been removed - no more vulnerable artifacts +# This eliminates CVE-2024-38821 from the Docker image +echo "✅ MongoDB artifacts prepared successfully" +echo "🗑️ PostgreSQL artifacts skipped (CVE-2024-38821 eliminated)" +echo "📁 Only MongoDB artifacts: $target/mongo/"