Check logs sprint 14.1 - week 1 (2/24) #4768

lbeaufort · 2021-02-17T17:46:13Z

Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)

patphongs · 2021-02-24T21:19:48Z

FEC-CMS:

package.json: 4 existing, 1 existing (combined)
- High: (blocked) Arbitrary Code Execution ([Snyk: High] Arbitrary Code Execution in sanitize-html (due 10/9/20) fec-cms#4026)
- High: Command Injection ([Snyk: High] Command Injection (due 3/19/21) fec-cms#4390)
- Medium: Access Restriction Bypass and Validation Bypass (combined) [Snyk: Med] Access Restriction Bypass and Validation Bypass(due 4/12/21) fec-cms#4379 (https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/#issue-SNYK-JS-SANITIZEHTML-1070786 and https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/#issue-SNYK-JS-SANITIZEHTML-1070780)
- Medium: Regular Expression Denial of Service with lodash ([Snyk: Med] Regular Expression Denial of Service with lodash (4/18/21) fec-cms#4391)
- Medium: Regular Expression Denial of Service with ua-parser ([Snyk: MED] Regular Expression Denial of Service with ua-parser-js (due 4/18/21) fec-cms#4392)
requirements.txt: 2 existing, 1 new
- MEDIUM: Regular Expression Denial of Service (ReDoS) (https://app.snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994) [Snyk: MED] Regular Expression Denial of Service (ReDoS) (due 04/04/2021) fec-cms#4362
- MEDIUM (new): Web Cache Poisoning (https://app.snyk.io/org/fecgov/project/ff0dca01-794e-4c1c-bf1f-0c0f8932fadd#issue-SNYK-PYTHON-DJANGO-1076802) [SNYK: MEDIUM] Web Cache Poisoning (Due: 4/25/2021) fec-cms#4426
- LOW: Directory Traversal (https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-1066259) [Snyk: LOW] Directory Traversal (due 05/04/2021) fec-cms#4363

OPEN-FEC:

package.json: 2 existing
- High: Command Injection ([Snyk: High] Command Injection (due 3/19/21) #4766)
  [Snyk: High] Command Injection (due 3/19/21) #4766
- Medium: Regular Expression Denial of Service ([Snyk: Med] Regular Expression Denial of Service (4/18/21) #4767)

FEC-EREGS:

requirements.txt: 1
- LOW: Directory Traversal: [Snyk: Low -Research] Directory Traversal (due 05/04/2021) fec-eregs#563

FEC-PATTERN-LIBRARY:
None

Search logs:
https://github.com/fecgov/fec-accounts/issues?utf8=%E2%9C%93&q=is%3Aissue%20, OK

Cloud.gov Dashboard:
9 deployer accounts, same as last week.

Offboarding:
None

lbeaufort added the Security: general General security concern or issue label Feb 17, 2021

lbeaufort added this to the Sprint 14.1 milestone Feb 17, 2021

lbeaufort changed the title ~~Check logs 14.1 - week 1 (2/24)~~ Check logs sprint 14.1 - week 1 (2/24) Feb 17, 2021

JonellaCulmer assigned patphongs Feb 23, 2021

patphongs closed this as completed Feb 24, 2021

patphongs mentioned this issue Feb 29, 2024

Epic: Stability and reliability fecgov/fec-epics#137

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check logs sprint 14.1 - week 1 (2/24) #4768

Check logs sprint 14.1 - week 1 (2/24) #4768

lbeaufort commented Feb 17, 2021

patphongs commented Feb 24, 2021 •

edited

Check logs sprint 14.1 - week 1 (2/24) #4768

Check logs sprint 14.1 - week 1 (2/24) #4768

Comments

lbeaufort commented Feb 17, 2021

patphongs commented Feb 24, 2021 • edited

patphongs commented Feb 24, 2021 •

edited