Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-9834 #5800

Closed
bpottier opened this issue Apr 4, 2019 · 4 comments
Closed

CVE-2019-9834 #5800

bpottier opened this issue Apr 4, 2019 · 4 comments

Comments

@bpottier
Copy link

bpottier commented Apr 4, 2019

We're running your nightly release (v1.14.0-rc0-20-nightly). Has this issue been addressed already? I couldn't find another issue about this cve.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9834

@Ferroin
Copy link
Member

Ferroin commented Apr 4, 2019

AFAIK, it has not been fixed.

Note, however, that:

  • It only affects client systems, not the servers (there is no way to use this to compromise the Netdata software on the monitored system unless there are other bugs in the web server component of Netdata which could already be remotely compromised by much simpler mechanisms).
  • It can't be initiated without user interaction. You have to explicitly load a malicious snapshot to be affected by this. It's reasonably likely you aren't using the snapshot feature (most people don't), so you just have to watch out for the usual social engineering attacks typically used to get people to open malicious files.

@bpottier
Copy link
Author

bpottier commented Apr 4, 2019

Okay. Thanks!

@hmh
Copy link

hmh commented Jul 12, 2019

This is related to #5652

@hmh
Copy link

hmh commented Jul 12, 2019

In #5652, @cakrit said:

We should have written more here. We went into great detail regarding this and we really can't prevent it. It's why the statement "Snapshot files contain both data and javascript code. Make sure you trust the files you import!" is right next to the Import button. We can make the font bigger/use a different colour, or throw an alert each time, but not much more than that. The responsibility rests with the user to import a trusted file.

Repeating the information here for the benefit of those landing on this issue from links elsewhere.

@cakrit cakrit added the wontfix label Jul 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants