-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue in msgpack #56
Comments
Is CVE-2021-23410 actual vulnerability? I've tested this PoC, but the PoC just run var assert = require('assert');
var msgpack = require('msgpack');
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
async function init() {
var normal = { "a": 1, "b": 2, "c": [1, 2, 3] };
var malicious = msgpack.pack({
exploit: function () {
// Note(by @azu): This Poc just run child_process.exec
// It is not related to msgpack
require('child_process').exec('echo code_executed!;sleep 3', function (error, stdout, stderr) {
console.log(stdout)
});
}(),
});
var rce = msgpack.unpack(malicious);
assert.deepEqual(rce, normal);
}
init();
I think that it is not vulnerability of |
I agree with @azu. CVE-2021-23410 is not a vulnerability of this module. I've requested the rejection of CVE-2021-23410 via https://cveform.mitre.org/ (description: https://gist.github.com/gfx/230010980c04415bb602afdfd5165ed8 ) FWIW I had received an email from Snyk with the almost same PoC for |
Hi @azu, Thanks for your efforts in investigating this vulnerability. Unfortunately, this As we do handle a large volume of disclosures from researchers, communicate with many maintainers, and generally verify them correctly, unfortunately, we occasionally make oversights like these. However, we'll aim to use this as a case study to improve our verification process further and to avoid future situations like these. On @gfx's comment, yes we agreed with your view which was why there was never any advisory published for Feel free to reach out if you have any follow-ups to this. Best, |
Hello, @colin-ife-snyk! Thanks to rejecting CVE-2021-23410, but seemingly the CVE is still active in GitHub Advisory Database. Would you mind investigating how to revoke the entry in GitHub Advisory Database? Thanks in advance. |
No problem @gfx Contacted GitHub Support asking them to revoke the GitHub advisory and cc'ed yourself and @godsflaw |
Thank you very much! I appreciate it. |
Hi,
A security issue was recently disclosed to us regarding
msgpack
. We have sent two emails to the main contributors of this repository but have received no replies.Please get in touch as soon as you can, as we are likely to publish this advisory in the coming weeks if we do not hear back from you.
Best,
Snyk Security Team
The text was updated successfully, but these errors were encountered: