Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-33898] Insecure deserialization versions <= 4.3.1 #5909

Closed
ropwareJB opened this issue Jun 3, 2021 · 5 comments
Closed

[CVE-2021-33898] Insecure deserialization versions <= 4.3.1 #5909

ropwareJB opened this issue Jun 3, 2021 · 5 comments
Labels

Comments

@ropwareJB
Copy link

ropwareJB commented Jun 3, 2021

What version of Invoice Ninja are you running?
v4.3.1 and below

What environment are you running?
N/A

Have you checked log files (storage/logs/) Please provide redacted output
N/A

Have you searched existing issues?
Yes

Have you reported this to Slack/forum before posting?
No

Describe the bug
In versions v4.3.1 and below of InvoiceNinja, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php which may allow an attacker to deserialize arbitrary PHP classes. In certain contexts this can result in remote code execution.

The argument to unserialize is the output from a HTTP call to http://www.geoplugin.net/php.gp . This is without encryption. Attack vectors are then:

  1. Malicious deserialized object from geoplugin.net
  2. MITM attack between the invoiceninja service and geoplugin.net

Expected behavior
Use JSON instead of native PHP objects for untrusted input.

Additional context
The responsible code is now commented out since 25feebd6c2b02687d06832442ce6ce27971849c3, however there is a note about triaging GDPR implications before reintroduction of the code block, so this may be introduced in future versions.

@turbo124
Copy link
Member

turbo124 commented Jun 3, 2021

We would recommend that people update to 4.5.

No one should be using 4.3

@turbo124 turbo124 closed this as completed Jun 3, 2021
@turbo124 turbo124 added question and removed triage labels Jun 3, 2021
@ropwareJB
Copy link
Author

Thanks @turbo124 , probably should just make my intent more clear - the commented out code should not be re-introduced as-is.

@turbo124
Copy link
Member

turbo124 commented Jun 4, 2021

@montycarlo
Thanks for this, we actually referenced this in V5... i'll disable the code there are reevaluate this part.

@ropwareJB
Copy link
Author

The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2021-33898 to this issue. This is a record on the CVE List, which standardizes names for security problems.

@ropwareJB ropwareJB changed the title Insecure deserialization versions <= 4.3.1 [CVE-2021-33898] Insecure deserialization versions <= 4.3.1 Jun 7, 2021
@hillelcoren
Copy link
Member

hillelcoren commented Jun 7, 2021

Thank you for reporting this but do you think it's helpful to create CVE issues for previous versions of software. If it were done for all issues wouldn't it create more noise than signal? I'm asking because I believe these issues may make our software look insecure when it fact it isn't.

For more context v4.3.1 was released on Apr 9, 2018 and v4.4.0 on Apr 24, 2018

https://github.com/invoiceninja/invoiceninja/releases/tag/v4.3.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants