New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pouchdb.js being flagged as potential malware #8521
Comments
I continued iterating with the release versions. It is not individual file hashes that trigger the alert but it is this function: Lines 7998 to 8022 in 2e2aa6c
If I remove that function from v7.3.0 it is not flagged as exploit anymore. |
I have submitted report to ClamAV at https://www.clamav.net/reports/fp, linking back to this github issue. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days |
This still seems to be an issue today: $ docker run --rm -it clamav/clamav /bin/ash
/ # wget https://github.com/pouchdb/pouchdb/releases/download/7.3.0/pouchdb-7.3.0.js
Connecting to github.com (140.82.121.3:443)
Connecting to objects.githubusercontent.com (185.199.111.133:443)
saving to 'pouchdb-7.3.0.js'
pouchdb-7.3.0.js 100% |****************************************************************************************************************| 366k 0:00:00 ETA
'pouchdb-7.3.0.js' saved
/ # clamscan --detect-pua=yes pouchdb-7.3.0.js
Loading: 17s, ETA: 0s [========================>] 8.64M/8.64M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/pouchdb-7.3.0.js: PUA.Html.Exploit.CVE_2012_0469-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8643702
Engine version: 0.105.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.69 MB
Data read: 0.36 MB (ratio 1.93:1)
Time: 23.281 sec (0 m 23 s)
Start Date: 2022:08:16 05:29:27
End Date: 2022:08:16 05:29:50 I submitted false positive report again to https://www.clamav.net/reports/fp. |
FYI, the web console used by the WildFly application server uses pouchdb, and @tsaarni was kind enough to point out this issue to us at https://issues.redhat.com/browse/WFLY-16823. I asked some folks in the security team at Red Hat to have a look and they agree this is a false positive. The provided further information on what causes the false positive:
That line they mention is in the method that tsaarni identified. |
Issue
ClamAV currently flags
pouchdb.js
file as potential malware by alerting about following finding:PUA.Html.Exploit.CVE_2012_0469-1
(PUA = Potentially Unwanted Applications).It seems that SHA256 of that file have been reported to the ClamAV fingerprint database. While trying to iterate which versions, it seems that a large number of files have been reported: at least PouchDB versions from 6.1.1 to the latest release 7.3.0 are all flagged. We see also some combined and minified files being reported where
pouchdb.js
is included in (releases of Wildfly Management console (hal-console)).This seems obvious false positive since CVE-2012-0469 from year 2012 is about a bug in Mozilla Firefox, Thunderbird and Seamonkey. These versions are ancient and have not been in use for many, many years. So even in the unlikely scenario that modern software would contain an exploit, it would not be effective anymore. That vulnerability is explained in detail here (archive.org). The topic does deal with IDB API which really seems to be used by PouchDB.
I would kindly like to ask your analysis on the issue.
There seems to be a website to report false positives https://www.clamav.net/reports/fp. I have not tried to report the problem there yet.
Thank you for your help!
Reproduce
The text was updated successfully, but these errors were encountered: