New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect commits for CVE-2018-3713? #117
Comments
I think CVE-2018-3713 is quite tricky, and I vaguely remember going through a similar process to the one you describe. So let me first state that I agree with your date matching for the initial fix, and I also think that patch was sufficient, since both relative and absolute paths seemed to be handled safely after the patch. But the path-sanitization used in that project is not 100% best practice, so I wouldn't be surprised if I am simply failing to see a bypass vector. The reason I have settled for the later commit, despite the date matching, is that it is a path-sanitization patch that satisfies the version in the advisory for CVE-2018-3713: I would prefer that the data in this repository aligns with the official advisory information and that it does not diverge because of a lacking ability to spot bypasses. |
Humm I think I understand the history of vulnerabilities:
What I understand, I am not completely sure, is that the http server could be executed like that:
Eric |
Bravo! So the takeaway is that we have two kinds of implementation problems:
And then we have the advisory for CVE-2018-3713 that says v1.4.5 is the safe version, despite the implementation still containing the "logic error` security problem, which finally is fixed by simonh1000/angular-http-server@34d4bd0. The next version bump after that commit appears to be v1.6 https://github.com/ossf-cve-benchmark/ossf-cve-benchmark/blob/f8938834deadde6ffcb2701a2fa62b0a846f0b1b/docs/benchmark-CVEs.md#complete-benchmark-cves has a rather puritan with of this problem:
I think that the logic error counts as "relevant" in this case, so I think the complete solution is:
Do you agree? Meta: |
I agree,
|
Yes, please. We probably also need to change the weakness locations.
I have put in a request. |
The CVE update request is tracked separately. I am keeping this issue closed. |
The CVE has been updated. |
For CVE-2018-3713, the pre/post patch commits seem incorrect:
The path traversal attack works (
/etc/passwd
is disclosed) on this commit.The path traversal attack doesn't work anymore on this commit.
On hackerone, the vulnerability was reported on the Jan 25, 2018, the maintainer did a fix on Jan 27, 2018 and strengthened the fix several months later.
The text was updated successfully, but these errors were encountered: