Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP #332

Merged
merged 2 commits into from Jan 31, 2019

Conversation

Projects
None yet
4 participants
@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Jan 28, 2019

Before this change, all the repositories that have been used to resolve rulesets have downloaded those rulesets over HTTP instead of HTTPS. This leaves the user wide open to system compromise via a Man In The Middle (MITM) attack. This isn't just theoretical; POC code exists already.

See:

I will file for a CVE number after this is merged and a release has been published.

This vulnerability has a CVSS v3.0 Base Score of 8.1

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

@SamCarlberg
Copy link
Contributor

SamCarlberg left a comment

Grammar

Apply suggestions from code review
Co-Authored-By: JLLeitschuh <jonathan.leitschuh@gmail.com>
@JLLeitschuh

This comment has been minimized.

Copy link
Contributor Author

JLLeitschuh commented Jan 28, 2019

Thanks @SamCarlberg!

@shyiko shyiko merged commit 5e547b2 into pinterest:master Jan 31, 2019

1 of 2 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
@shyiko

This comment has been minimized.

Copy link
Collaborator

shyiko commented Jan 31, 2019

🙇

@JLLeitschuh

This comment has been minimized.

Copy link
Contributor Author

JLLeitschuh commented Jan 31, 2019

shyiko added a commit that referenced this pull request Feb 4, 2019

@JLLeitschuh

This comment has been minimized.

Copy link
Contributor Author

JLLeitschuh commented Feb 19, 2019

This has been given a CVE number: CVE-2019-1000034

@JLLeitschuh

This comment has been minimized.

Copy link
Contributor Author

JLLeitschuh commented Mar 28, 2019

Hi @pinterest,
This never got a CVE number assigned to it because the maintainer trying to issue the report got busy: CVEProject/cvelist#1609 (comment)

Do you want me to re-submit for the CVE number or is Pintrest a CNA?

@devinlundberg

This comment has been minimized.

Copy link

devinlundberg commented Mar 29, 2019

Pinterest is not a CNA so feel free to resubmit.

@JLLeitschuh

This comment has been minimized.

Copy link
Contributor Author

JLLeitschuh commented Apr 2, 2019

We have a reserved CVE for this vulnerability. Details should be posted there shortly (hopefully).

It seems with the DWF (Distributed Weakness Filing) having been shut down, it seems that MITRE has a bit of a backlog to chew through.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010260

@JLLeitschuh JLLeitschuh changed the title [SECURITY] Resolve dependenices over HTTPS instead of HTTP [CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP Apr 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.