-
-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability CVE-2022-29622 is reported by Whitesource #856
Comments
Conditions to be vulnerable
Please install version 3.2.4 to have safer defaults |
Is there an official view of whether the v2 stream is also affected? The latest on https://www.npmjs.com/package/formidable right now is 2.0.1 and the advisory at GHSA-8cp3-66vr-3r4c has no information on the version ranges affected. Looking at #857 and Line 527 in 48521d7
|
v2 has other vulnerabilities as well, |
@GrosSacASac I still see 2.01 as the version at https://www.npmjs.com/package/formidable . Can we mark v3 as latest as you suggested above? |
@GrosSacASac As I fond the v3.2.4 ver on npm, When can we make the v3.2.4 tag on github ? We need the github tag |
WTF...?! Doesn't the problem only exist in any frontend application showing filenames from the system unfiltered in any browser etc...?! With this fix you have broken a valid usecase. Invalid filenames are only invalid if the filesystem says they are invalid and fs-module throws exceptions. Do I miss the real problem here? |
Correct. The fix is to help people have safe default even if they blind copy paste code from stack-overflow for example. If you want to have any filename possible, you can still do it by using the explicit filename option. Having safe defaults is a principle I adhere to. |
Hopefully you will not get the idea of filename length or special unicode might also be a problem in some of the many client applications and operating systems out there. Never ending story if you'd like to hit this on the wrong side. |
There was already removal of invalid characters from filename in the code since 2011-2010. |
Sorry, didn't mean you (@GrosSacASac) with this "you". Your "Improve keep extension" is good purpose. But now I'm curious... Lines 513 to 538 in 143e473
Shouldn't the extension start with the Line 524 in 143e473
A filename Line 510 in 143e473
OS handles files by the extension after the And formidable makes from a valid uploaded txt-file an executable com file, great improvement ;-) |
Open an issue if you think that it is a problem |
Got here as SCA blocked the build of one of our services due to the CVE referenced earlier. The CVE looks to me like yet another overly eager "security professional" trying to get a CVE attached to his/her name by ignoring context and understanding of responsibilities. Then, all the other lemmings just accept it and pick it up without actually looking into the reported "issue". |
@GrosSacASac I have submitted a request to MITRE to remove the CVE assigned as some of us believe the library is not vulnerable. The MITRE guys decided that just because a contributor, it this case specifically referring to you admitted that the library is vulnerable under certain circumstances (see quoted above) they refuse the remove the CVE. To help everyone better understand the "issue" could you please provide more context re your comments, following these questions:
In general, are you seriously considering this library to be vulnerable? @tunnckoCore @kolbma You guys may be also interested is this. |
I'll be back in 30 days, consider the filename option if it is blocking |
Will this vulnerability fix be backported to v2.x since v2 is still maintained? |
I have written up my analysis of the "vulnerability" (I don't think there is a vulnerability) here if anyone is interested: https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721 I personally could not find any indication of any of the vulnerabilities mentioned in the CVE to be present. The information disclosed by the CVE and the YT video referenced is not sufficient to prove the library is affected by the vuln. If anyone can come up with an exploit to prove there is an arbitrary code execution vulnerability in formidable, please share. Otherwise, I do believe the CVE is invalid. |
Uh... 🤦♂️ that's continuing... @keymandll thank you. @salielim there's nothing to be backported in reality. the codebase between v3 and v2 is almost the same, and especially in that regard. The options are there and the documentation is there. I really don't like this |
For most packages like |
We've reached out to some folks at Snyk to see if we can decrease the severity or remove the CVE altogether. In the interim, please ping us once you have released a new version with CJS/ESM support @tunnckoCore and @keymandll and most of these issues should go away. Thanks! |
Yep, me and others also reached Mend to remove it, cuz it's nothing. |
I had read the article and completely agree with author's assessment that remote execution is not possible, at least not with formidable alone. The NVD remote-execution assessment and corresponding CVSS score of 9.8 appear incorrect. However, this should still be viewed as a CVSS 7.1 (High) vulnerability, although I'll admit the best exploit I can come up with right now is a Medium, I just don't have the time to do an extensive threat analysis for this. Here is my calculation: Here's my scenario to prove this is at least a Medium risk.
|
@dpace-cs Interesting scenario. However, as far as I know and as far as the linked medium post goes, the default behavior is that formidable does not keep the extensions. (
It's definitely not randomized, its seems to be incremental. If we try with the non-default configuration (
As can be seen, the file name still has the incremnting part, threfore overwriting a previous file so far does not seem possible. Considering how the default behavior works, the worst that can happen is someone could potentially brute-force the file names and maybe gain access to someone else's files. BUT, before anyone misunderstands, something important to note here is what @dpace-cs said: "... and that website doesn't randomize the file name". The developer of the website has the option to read the documentation and use the library according to his/her need/specific use case. At the same time, if the default behaviour ( What I ultimately wanted to say is, that while I like how @dpace-cs was thinking, I do not think there even a Medium risk there. |
@dpace-cs the last point is not correct though. By default when there's not provided As about second point, that's our user's (developer in our case) fault. We are not end-user service or library or whatever. Things that are building on top of open source software and libs should be 1) cautious, and 2) read docs, especially when there are docs. There's not a single package of mine for the past 8 years that has not excellent and big docs. And all these years I'm noticing exactly that - nobody reads, even with ton of documentation, concrete examples and notes.
Exactly. That's good defaults. And is maximum we should and can do.
True tho, hexo is interesting one. But IT IS guaranteed (not cryptographically tho) random and there's minimal possibility of conflicts. (uh, why all this time i think of edit: not to mention Line 19 in 81dd350
we force 25 length, while Hexo's default is 16. Quite enough to me.
|
@tunnckoCore One thing to note is that hexoid produces incremental values and the first portion of the generated file name is fairly static. For example, I get the following when uploading two files, even with identical names.
So we have If I restart the service that I'm using now to do these tests of
So, an attacker targeting an insecurely implemented website could guess file names fairly easily between two service restarts, if the file name of his/her uploaded file is exposed. Generating a (I'm just praying no one going to misunderstand me and believe I'm saying there's any problem here... :) ) For now, my opinion that this "issue" worth maximum an INFO severity. |
Oh yea, perfectly agree. I probably didn't noticed that with Will switch to |
@dpace-cs Just realized there's something I've missed in your comment. W.r.t. the calculated CVSSv3 score, if I understand correctly, you calculated that for your example scenario, right? In that case, you have calculated that for a fictional webapp that behaves in a specific way. For example, the way we use |
It's definitely good that the filename is incremented and thus cannot be overwritten, and @tunnckoCore switching to cuid would eliminate an enumeration exploit (ref: https://owasp.org/www-community/attacks/Forced_browsing). Outside of this issue, I have to disagree with @tunnckoCore and @keymandll assessment of who's responsible for fixing or mitigating a vulnerability. CVSS scoring will take the rating of the highest risk vector to a vulnerability at the system's default state. If the default state allows for file enumeration you can't say it's not a vulnerability because the programmer didn't modify the default state to secure it (ref: https://www.first.org/cvss/specification-document#3-1-Exploit-Code-Maturity-E). That would be like Linksys saying that the default admin credentials to a router being set to admin/admin aren't a vulnerability because the user didn't read the read the manual and change it after installation. I also understand that a good webapp should prevent file enumeration via proper access controls but again, that doesn't negate the default state of the package. What keymandll is referring to would be considered a Modified Base Metric per CVSS 3.1 specifications (ref: https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics). That occurs when the score would be lowered due to mitigating controls such as access control to prevent file enumeration, but the base metric would still not change, you would just have a Modified Base Metric instead. Unrelated to this issue: I wouldn't use INFO as risk level as there is no widely accepted risk standard for the that term. LOW should always be used in the place of INFO (ref: https://www.first.org/cvss/specification-document#Qualitative-Severity-Rating-Scale). None the less, thank you both for replying and deeply analyzing instead of ignoring. |
@dpace-cs I completely understand what you are saying and you are not wrong, but you are not wrong in a different context. What I'm trying to say, using what you have said: "If the default state allows for file enumeration" - I'm fairly certain that I'm noticing two things from some of the discussions I had so far (not only here):
Btw, I'm not saying |
Well @dpace-cs , good point and example. I totally agree. I'm always for sane defaults and practicing it. Thank god we are having experts. 🙏🙌 |
Alright, here is my proposal. As people so much want to force some vulnerability on "The way Formidable generated file names with the default configuration could have contributed to the successful exploitation of applications that were vulnerable to Forced Browsing." What do you think @dpace-cs and @tunnckoCore ? |
Well, agree. "The default way Formidable generate filenames..." Plus, we will patch the defaults, so.. |
I have updated my proposed "vuln" description based on @tunnckoCore 's comment. |
Make sure you email [email protected] when you make the updates or to request changes to the original. cc @keymandll Thanks!!! |
Let's wait to see what @dpace-cs says about the proposed. Then, I will talk to MITRE to see if an update or a new entry would be more appropriate. |
I'm still having trouble seeing as how this would qualify as a Low. I'm calculating the CVSS score as 5.9 (Medium). I think it would be a big win if you could get NIST to drop the NVD score from 9.8 (Critical) to 5.9 (Medium). Here is my reasoning:
FYI: I have no associated with MITRE or NIST and can't help you remove or reduce the existing CVE. You would need to communicate with them directly but referencing this threat would probably be very helpful to convincing them to reduce the score. |
@dpace-cs Just to confirm, are we both talking about this? If yes: I almost agree with all your points, except with #6 (Confidentiality). I just do not see how you can calculate these for Formidable does not dictate how an application should implement file management. It is possible to implement an application that even with So, given your calculation and mine, if I subtract 2.2 from 5.9, the resulting 3.7 is all up to the specifics and use cases supported by the application. Why would you blame that 3.7 on |
Ridiculous. |
@kolbma As far as I know Whitesource is not directly responsible of this mess. I suspect, in this case it is most likely that their "vulnerability" scanner, just like all the others picked up the same nonesense from NVD. So now we have all these software composition analysis tools spitting out issue reports based on the CVE. Probably it just happened that @johnchen05, probably a user/customer of Whitesource got a report from their tool... However, your second sentence sounds like there is an interesting story out there I have not heard of. Most likely this is not the right forum to share, so If you write it up somewhere, let me know, happy to read it. |
You're amazing guys! Seems like you know your job. But I think it would be far more easier, faster and better to just upgrade on #857 merged pr and my comments from there. Or I'm just tired and not that familiar and interested in such things. What I can do is to try to patch it by the end of the week, and and add some more automation on the repo, plus CodeQL GH Action for the future. All that was part of the #635 and #830 anyway. I even think to skip v3, hahahaha. Joking. Thanks, and don't think it or worry that much. :P |
@tunnckoCore Sure, I completely understand. Indeed, there's no need for a new CVE. If you replace Anyway, it was great having this discussion with all of you. Feel free to reach out to me if I can be of any help in the future. Oh, and before I forget thanks a lot to all contributors for this amazing library. |
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-29622
The text was updated successfully, but these errors were encountered: