-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PoC: GitHub security advisories and vulnerability database #90
Comments
- Create data model, entry as GitHubAdvisories.java - Add associated data model classes - Add helper query templates first_run_template and next_page_run_template - Add a data provider VulnerabilitiesFromGitHubAdvisories.java This fixes SAP#90
POC outcomeThere are 33 vulnerabilities that are not associated with any CVE from NVD Database. This can be the Delta between the Security Advisory Database and the NVD Database. That means gathering vulnerabilities from Security Advisory Database makes sense. The 33 vulnerabilities are listed belowGhsaId : GHSA-7fhm-mqm4-2wp7 In order to provide accurate advisory information, new advisories were created:
GhsaId : GHSA-6chw-6frg-f759 GhsaId : GHSA-mr6r-mvw4-736g Earlier today, we received a responsible disclosure of a potential issue from @montyly (security researcher at @trailofbits) for Vyper users who make assumptions about what values certain interface types can return. ImpactWe determined the issue to be mild and unlikely to be exploited, with an easy workaround while the correct resolution is in process. The issue stems from a number of things, which we will detail here. (1) The ABI Specification is under-defined such that function return type is not always reflected in how you use it This means that a function which returns (2) Vyper doesn't have When Vyper was originally created, it only had one numeric type, but we added just enough types to be able to work with the majority of ERC interfaces that exist. Unfortunately, we never added (3)
In summary, because of (1), it isn't necessary to have to cast the return value of a function that returns PatchesWe are currently refactoring our typing system so we can implement all ABI-compliant integer types, but no currently patched version is available that gives users access to the WorkaroundsThere is an easy workaround where you should check that the value returned by an interface which specifies ...
# returns uint8, but we implicitly cast to uint256 without checking
decimals: uint256 = ERC20(_token).decimal()
# FIX: Insert this line
assert decimals < 256
... Depending on how you use this value, it may not be necessary to insert this check. ReferencesFor more informationIf you have any questions or comments about this advisory:
GhsaId : GHSA-vg44-fw64-cpjx Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index PatchesThis has been patched (#14) in version >=0.2.1 of WorkaroundsTo work around this problem without updating, you should remove then re-add the account before use. As long as the account was added during the lifetime of that process, signing with that account should work correctly. For more informationIf you have any questions or comments about this advisory:
GhsaId : GHSA-pcqq-5962-hvcw PatchesPlease update For more informationReported in GhsaId : GHSA-p94w-42g3-f7h4 The verifier is impacted by this vulnerability. PatchesPatch will be available in version 0.2.2. WorkaroundsIn case you trust certain issuers for certain credentials as a verifier, trust the issuer's public key from the ReferencesFor more informationIf you have any questions or comments about this advisory:
GhsaId : GHSA-ff5x-w9wg-h275 The verifier is impacted by this vulnerability. PatchesPatch will be available in version 0.2.2. Workarounds
ReferencesFor more informationIf you have any questions or comments about this advisory:
GhsaId : GHSA-9r27-994c-4xch PatchesThis has been patched in version 2.3.1 WorkaroundsEscape the characters Referencesbrussell98/discord-markdown#13 GhsaId : GHSA-27gm-ghr9-4v95 PatchesThis vulnerability has been patched in TinyMCE 4.9.7 and 5.1.4 by improved parser logic and HTML sanitization. WorkaroundsThe workarounds available are:
Example: Manually sanitize contenteditor.on('BeforeSetContent', function(e) {
var sanitizedContent = ...; // Manually sanitize content here
e.content = sanitizedContent;
}); AcknowledgementsTiny Technologies would like to thank Michal Bentkowski for discovering this vulnerability. Referenceshttps://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes For more informationIf you have any questions or comments about this advisory:
GhsaId : GHSA-2r3v-q9x3-7g46 DescriptionThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:
The issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the Affected versionsAll SimpleSAMLphp versions prior to 1.14.4. ImpactA remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp. ResolutionUpgrade to the latest version. CreditThis security issue was discovered and reported by John Page (hyp3rlinx). GhsaId : GHSA-769f-539v-f5jg We have identified that some gamification module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE. This vulnerability impacts
You can read PrestaShop official statement about this vulnerability here. PatchesIn the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading. WorkaroundsUsers can also simply remove the unwanted vendor/phpunit folder. Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2017-9841 For more informationIf you have any questions or comments about this advisory, email us at [email protected] GhsaId : GHSA-wqq8-mqj9-697f We have identified that some autoupgrade module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE. This vulnerability impacts
You can read PrestaShop official statement about this vulnerability here. PatchesIn the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading. WorkaroundsUsers can also simply remove the unwanted vendor/phpunit folder. Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2017-9841 For more informationIf you have any questions or comments about this advisory, email us at [email protected] GhsaId : GHSA-f884-gm86-cg3q We have identified that some ps_facetedsearch module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE. This vulnerability impacts
PatchesIn the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading. WorkaroundsUsers can also simply remove the unwanted vendor/phpunit folder. Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2017-9841 For more informationIf you have any questions or comments about this advisory, email us at [email protected] GhsaId : GHSA-4ppp-gpcr-7qf6 Waitress would header fold a double So a request with:
would get transformed to:
Which would Waitress would then internally set to Waitress would then treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. PatchesThis issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies. The Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don't cause any changes in behavior. WorkaroundsVarious reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn't use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method). Issues/more security issues:
GhsaId : GHSA-4j6x-w426-6rc6 ImpactAll Cube.js deployments that use affected versions of Patches@cubejs-backend/[email protected] WorkaroundsOverride default authentication express middleware: https://cube.dev/docs/@cubejs-backend-server-core#options-reference-check-auth-middleware For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1767 GhsaId : GHSA-7cg8-pq9v-x98q ImpactThe realms-shim is intended to provide a "safe evaluator" which executes arbitrary strings code with limited authority. This provides a "sandbox" which only has access to the specific objects and power that the caller chooses to expose. The A bug was found in the transformation pipeline that exposed a primal-Realm object to one of the transform functions. The confined code could use this to escape the sandbox and compromise the Realm which created it. This generally leads to a full compromise of the application. All uses of the Realms shim that evaluate unaudited third-party code are vulnerable. PatchesThe bug is fixed in the 1.2.1 version of WorkaroundsThe References
For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1743 GhsaId : GHSA-v7x3-7hw7-pcjg ImpactTemporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios. PatchesThe problem has been patched. Self-hosted users should upgrade to v19.38.7 or later. WorkaroundsDisable Go Modules support. ReferencesBlog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1749 GhsaId : GHSA-67cx-rhhq-mfhq ImpactAn external audit of the Indico codebase has discovered a vulnerability in Indico's LaTeX sanitization code, which could have malicious users to run unsafe LaTeX commands on the server. Such commands allowed for example to read local files (e.g. As far as we know it is not possible to write files or execute code using this vulnerability. PatchesYou need to update to Indico 2.2.3 as soon as possible. WorkaroundsSetting For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1730 GhsaId : GHSA-mgv2-57vj-99xc ImpactIn v1.2.0, tests are broken: all tests are always succeeding. If tests are looking for security vulnerabilities, these were compromised. PatchesUsers should upgrade to WorkaroundsUsers who don't use eye.js for looking for vulnerabilities are safe. Upgrading will just fix some bugs. For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1727 GhsaId : GHSA-85rf-xh54-whp3 ImpactA path traversal vulnerability was detected in iodine's static file service. This vulnerability effects any application running iodine's static file server on an effected iodine version. Malicious URL drafting may cause the static file server to attempt a response containing data from files that shouldn't be normally accessible from the public folder. PatchesThe vulnerability was patched in version 0.7.34. Please upgrade to the latest version. WorkaroundsA possible workaround would be to disable the static file service and it's However, it would be better to upgrade iodine to the latest version, as it also contains non-security related fixes. For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1726 GhsaId : GHSA-6jg8-7333-554w ImpactThe Several bugs were found in Until very recently, the only convenient way to use the PatchesThe bugs have been fixed in realms-shim-1.2.0, which has been incorporated into SES-0.6.3 . All users should upgrade to one of these releases. WorkaroundsSES and the Realms feature are designed to protect against arbitrary and unreviewed attacker-supplied code. Applications which rely upon this property must upgrade to the newer versions of the libraries to fix the problem. Other applications might be in a position to have humans review the code before executing it under a Realm, or accept very limited subsets of Javascript. In these cases, the review process might be changed to exclude these attacks. However, given how flexible Javascript is, this should not be considered a reliable workaround. Upgrading to the newer realms-shim and SES is the recommended mitigation. References
For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1724 GhsaId : GHSA-cxw4-9qv9-vx5h ImpactThe CBOR library supports optional tags that enable CBOR objects to contain references to objects within them. Versions earlier than 4.0 resolved those references automatically. While this by itself doesn't cause much of a security problem, a denial of service can happen if those references are deeply nested and used multiple times (so that the same reference to the same object occurs multiple times), and if the decoded CBOR object is sent to a serialization method such as The impact of this problem on any particular system varies. In general, the risk is higher if the system allows users to send arbitrary CBOR objects without authentication, or exposes a remote endpoint in which arbitrary CBOR objects can be sent without authentication. PatchesThis problem is addressed in version 4.0 by disabling reference resolution by default. Users should use the latest version of this library, which is 4.0 at the time of this writing. WorkaroundsSince version 3.6, an encoding option ( In version 3.6, if the method used
In versions 3.5 and earlier, this issue is present only if the CBOR object is an array or a map. If the application does not expect a decoded CBOR object to be an array or a map, it should check the CBOR object's type before decoding that object, as follows:
Alternatively, for such versions, the application can use
To check whether a byte array representing a CBOR object might exhibit this problem, check whether the array contains the byte 0xd8 followed immediately by either 0x19 or 0x1d. This check catches all affected CBOR objects but may catch some non-affected CBOR objects (notably integers and byte strings). ReferencesSee the Wikipedia article Billion laughs attack and the related issue in Kubernetes. For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1720 GhsaId : GHSA-v6cj-r88p-92rm ImpactAffected Centra versions will, when not in stream mode, buffer responses to requests into memory with no size limit. This issue affects anyone requesting content from untrusted sources. PatchesVersion 2.4.0 resolves the issue by limiting the size of buffered response body. WorkaroundsAttempting workarounds isn't recommended. Updating is preferred. For more informationIf you have any questions or comments about this advisory, open an issue in ethanent/centra. DatabaseId : 1718 GhsaId : GHSA-mc84-xr9p-938r ImpactGradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. PatchesMaven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1. WorkaroundsReplace all custom repository definitions in e.g. <repository>
<id>oss.sonatype.org-snapshot</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url> // <-- must be httpS
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository> maven { url "https://repo.spring.io/plugins-release" } // <-- must be httpS References
For more informationIf you have any questions or comments about this advisory:
DatabaseId : 1694 GhsaId : GHSA-mwp6-j9wf-968c Generated applications must be manually patched, following instructions in the release notes: https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html DatabaseId : 1678 GhsaId : GHSA-9mrq-cjgh-32g2 ImpactClicking on smartbanner View link and navigating to 3rd party page leaves Patches
WorkaroundsIf you can not upgrade to
ReferencesFor more informationIf you have any questions or comments about this advisory:
DatabaseId : 1676 GhsaId : GHSA-4vr3-9v7h-5f8v ImpactIf you've been using one When using an instance of The occurence of this is limited however. The Guild Wars 2 API doesn't use the PatchesThis bug has been fixed in version 0.3.1. When using an authenticated endpoint, it will prepend the SHA-1 hash of the access token to the cache id. WorkaroundsFor version 0.3.0 and lower, you can use one separate instance of For more informationIf you have any questions or comments about this advisory, you can open an issue in the Gw2Sharp repository or contact me on Discord. DatabaseId : 1534 GhsaId : GHSA-886v-mm6p-4m66 The static file server module included with GUN had a serious vulnerability:
This did not work via the browser or via curl without as-is option. FixedThis has been fixed since version Who Was Effected?Most NodeJS users who use the default setup, such as:
If you have a custom NodeJS code then you are probably safe unless you have something like If you have not upgraded, it is mandatory or else it is highly likely your environment variables and AWS (or other) keys could be leaked. CreditIt was reported and fixed by JK0N, but I did not understand the Joonas Loppi from function61 rediscovered it and explained the urgency to me to fix it. DatabaseId : 1467 GhsaId : GHSA-mh6f-8j2x-4483 Users of DatabaseId : 1007 GhsaId : GHSA-hhxm-4f85-rgr8 ImpactLogs the password used in plaintext. The password should masked in logs to prevent it leaking. PatchesHas the problem been patched? What versions should users upgrade to? Workaroundsnone See alsoAre there any links users can visit to find out more information? Package EcosystemRubyGems Package Namemany_versioned_gem Affected Versions< 0.2.2 Patches0.2.3 GhsaId : GHSA-cgpw-2gph-2r9g The update addresses the vulnerability by correcting how ASP.NET Core handles such requests. DatabaseId : 744 GhsaId : GHSA-3m2r-q8x3-xmf7 DatabaseId : 743 GhsaId : GHSA-hxxf-q3w9-4xgw npm is aware of this issue and is providing updates on this issue at this page: https://status.npmjs.org/incidents/dn7c1fgrr7ng DatabaseId : 307 Fields that can be used to update the existing vulnerability
Fields that cannot be used to update the existing vulnerability
Observed issues that may occur when pulling advisories
|
If an advisory has been withdrawn, it means that it's not valid, doesn't it? If so, it looks like that we should not use the advisory.
Well, the advisories don't have to align with NVD. In fact, the differences between NVD and GitHub advisories may be the most interesting. However, |
- Create data model, entry as GitHubAdvisories.java - Add associated data model classes - Add helper query templates first_run_template and next_page_run_template - Add a data provider VulnerabilitiesFromGitHubAdvisories.java This fixes SAP#90
Considering the reviews from @artem-smotrakov The following enhancements would be associated with this: |
- Create data model, entry as GitHubAdvisories.java - Add associated data model classes - Add helper query templates first_run_template and next_page_run_template - Add a data provider VulnerabilitiesFromGitHubAdvisories.java This fixes SAP#90
- Create data model, entry as GitHubAdvisories.java - Add associated data model classes - Add helper query templates first_run_template and next_page_run_template - Add a data provider VulnerabilitiesFromGitHubAdvisories.java This fixes SAP#90
- Create data model, entry as GitHubAdvisories.java - Add associated data model classes - Add helper query templates first_run_template and next_page_run_template - Add a data provider VulnerabilitiesFromGitHubAdvisories.java This fixes #90
The GitHub GraphQL API allow requesting published security advisories and vulnerabilities. This information may be useful to fill out the
OssFeatures.VULNERABILITIES
feature. According to this page, they use not only NVD.For example, the following query returns a list of vulnerabilities for jackson-databind (use the explorer to send the query):
This query returns 10 latest security advisories:
Here is a list of thing to do:
VULNERABILITIES
feature.The text was updated successfully, but these errors were encountered: