NVD False Positives #61
Comments
|
@SimeonChakarov what version of NuGetDefense is reporting the false positive. I recently found an issue in the NVD source that could be causing this, but was fixed in the last release. If this occurs in the most recent release, I'll need to investigate |
|
@digitalcoyote , the version that I use is 2.1.1 (latest stable according to Visual Studio). Btw there is a similar issue with Nlog v4.7.8 (latest stable): "CVE-1999-1278 : nlog CGI scripts do not properly filter shell metacharacters from the IP address argument, which could allow remote attackers to execute certain commands via (1) nlog-smb.pl or (2) rpc-nlog.pl." This is a link to the full description: https://cert.civis.net/en/index.php?action=alert¶m=CVE-1999-1278 The Nlog support advised me to create an issue for NuGetDefense-project. Their responce: Best regards, Simeon |
digitalcoyote
changed the title
|
@SimeonChakarov I have some info on the NLog false-positive as well as the Jquery false-positive. JQueryThe CPE here used the update field (previously unused) to specify rc1. With no upper limit, this caused the version range to parse incorrectly. I've made changes to address this, but I need to make some more tests to ensure nothing is adversely affected. NLogThe CPE for CVE-1999-1278 that is parsed for that record is It will ~~probably be a week or so before ~~ I can work on getting another relase together to fix these in the distributed NVD bin, but you can add them to the Ignored CVE's in the NuGetDefense.json as neither CVE here actually affects a NuGet package. In future versions, I may consider disabling NVD by default as there are other more accurate sources being added to NuGetDefense (although there are still use cases for the local VulnerabilityData. Thank you again for your reports. Feel free to let me know of any more incorrectly reported vulnerabilities. 👍 |
|
Couldn't sleep last night, so I've been up working on that release. Gonna grab coffee and get it out before work. |
|
@digitalcoyote I just installed the latest version of NuGetDefense (2.1.2). Most of the issues are gone. Thanks for the quick response! :) There is still one reported issue for jQuery: CVE-2007-2379 : The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." But it is LOW/MEDIUM severity so it's ok for now. I assume that it will be fixed in the next release. Thanks again! |
|
@SimeonChakarov I believe that was never "fixed" as it's an underlying class of vulnerabilities that can affect jQuery and javascript in general. Based on what I've been told, you are probably safe to add that CVE to the ignore list and just pay attention to best practices regarding javascript hijacking. Stack Overflow seems to indicate that jQuery makes this less likely than vanilla JS/ES by default although some research into it could probably provide more detailed info. When I update the documentation I need to explicitly mention this as I've been contacted about this vulnerability multiple times. |
Hi,
I use jQuery v3.5.1 (latest stable) with Visual Studion 2019. When I scan for security vulnerabilities with NuGetDefense I get the following report:
"CVE-2016-10707 : jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit."
This is a link to the full description: https://nvd.nist.gov/vuln/detail/CVE-2016-10707
I opened a ticket in jquery support, they answered me as follows:
"You should contact the creators of the scanner to report a bug. The CVE references a version that is not the one you are running. See #3133."
Please advise how to proceed to fix this issue.
Thanks in advance!
The text was updated successfully, but these errors were encountered: