Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github considers bootstrap 3.4.0 as insecure #27915

Closed
GeyseR opened this Issue Dec 23, 2018 · 19 comments

Comments

Projects
None yet
8 participants
@GeyseR
Copy link

commented Dec 23, 2018

Github considers Bootstrap 3.4.0 an insecure dependency via its security vulnerability alerts tool. It points to the NVD CVE-2018-14041 page, which shows that only >4.1.2 is secure. Is 3.4.0 safe to use as it has a fix for the npm:bootstrap:20160627 vulnerability or it is something different?

A screenshot from one of our private projects:

image

@GeyseR GeyseR changed the title Github consider bootstrap 3.4.0 as insecure Github considers bootstrap 3.4.0 as insecure Dec 23, 2018

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Dec 23, 2018

I guess someone should submit info that this was also fixed in 3.4.0.

@twbs twbs deleted a comment from GeyseR Dec 24, 2018

@bardiharborow bardiharborow self-assigned this Dec 24, 2018

@bardiharborow

This comment has been minimized.

Copy link
Member

commented Dec 24, 2018

I've sent this off to NIST, who I believe is the responsible party for vulnerable version information:

I'm writing to inform you that the fix for CVE-2018-14041 has been cherry-picked into the Bootstrap v3.4.0 release. The vulnerable versions are now represented by (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2). You may verify my identity against <https://github.com/orgs/twbs/people> and the fix against <https://github.com/twbs/bootstrap/releases/tag/v3.4.0> and <#27047>. This is my first interaction with your registry, so my apologies if this enquiry is misplaced. Thank you for your time.

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Dec 24, 2018

Thanks @bardiharborow, let us know how it goes.

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Dec 28, 2018

Does GitHub still warn about this?

@bardiharborow

This comment has been minimized.

Copy link
Member

commented Dec 29, 2018

NIST got back to me 9 hours ago with:

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After review of the CVEs, the information provided, and the configurations we have made the appropriate modifications. Please allow up to 24 hours for these changes to populate on the website and in the data feeds.

@XhmikosR, do you know why https://snyk.io/vuln/npm:bootstrap:20160627 says < 4.0.0-beta.2 whereas NIST says < 4.1.2? I can see that #23679 was merged in 4.0.0-beta.2, so I'm not sure where NIST got 4.1.2 from...

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Dec 29, 2018

@bardiharborow: nope. I don't know where they get the info from. One of the two is wrong :P

@xhocquet

This comment has been minimized.

Copy link

commented Jan 3, 2019

Hey there, hoping to get an additional update added here.

A member of the Debian LTS team checked out earlier versions of bootstrap (one of which we are using) and declared it did not contain the vulnerability: #26627 (comment)

Compare that to the current vulnerability entry: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#VulnChangeHistorySection

Specifically, my company is still using 3.3.7 and is not prepared to upgrade. Github's vulnerability tracker uses this database to notify us that our project is insecure, however based on what I've seen that is not the case.

If a member of the team could confirm the statement by the Debian team member, as well as contact cpe_dictionary@nist.gov regarding any updates, I'm sure many developers would appreciate removing a warning from their Github repos and other security auditing tools using this database.

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Jan 3, 2019

3.3.7 is affected. 3.4.0 is not.

@wolfy1339

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2019

I have some more info for you guys, Snyk seems to get their info from CVE database at https://cve.mitre.org so they need to be contacted as well.
Here is their page that explains how to request an update: https://cve.mitre.org/cve/update_cve_entries.html

@divyanshugrover

This comment has been minimized.

Copy link

commented Jan 7, 2019

https://nvd.nist.gov/vuln/detail/CVE-2018-14040 and https://nvd.nist.gov/vuln/detail/CVE-2018-14042 still show bootstrap 3.4.0 as affected, but I can see the updated changes for https://nvd.nist.gov/vuln/detail/CVE-2018-14041.
I can also see in #27047 that fixes for 14040 and 14042 were included in v3.4.0-dev branch, which ended up into the release branch for 3.4.0.

If the above is correct, @bardiharborow can you please intimate the same to NIST for 14040 and 14042 as well. Thanks!

@bardiharborow

This comment has been minimized.

Copy link
Member

commented Jan 8, 2019

Okay, I've worked out what's happening here:

@Johann-S are you perhaps able to confirm that the patches which have not been backwards or forwards ported do not need to be?

@XhmikosR XhmikosR removed the awaiting reply label Jan 8, 2019

@XhmikosR XhmikosR pinned this issue Jan 8, 2019

@Johann-S

This comment has been minimized.

Copy link
Member

commented Jan 8, 2019

Hi @bardiharborow

  • CVE-2018-14041 wasn't back-ported because there is no XSS in v3 (see: https://jsbin.com/kicedoniya/edit?html,output which use v3.3.7) and there was one in v4
  • Tooltip data-viewport not forward-ported because this option do not exist in v4
  • Affix config target not forward-ported because the Affix plugin do not exist in v4
@bardiharborow

This comment has been minimized.

Copy link
Member

commented Jan 8, 2019

Email to NIST:

Due to confusion between six related vulnerabilities, my previous advisory was issued against an incorrect CVE number and needs to be retracted. My sincere apologies. The following reflects my audit of the repository history this morning:

  • CVE-2018-14040 (collapse data-parent) was fixed in v4.1.2 by 1490960, and back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).
  • CVE-2018-14041 (scrollspy data-target) was fixed in v4.1.2 by cc61edf, and not back-ported because it does not affect the v3 line. It therefore affects versions (4.0.0-alpha <= x < 4.1.2).
  • CVE-2018-14042 (tooltip data-container) was fixed in v4.1.2 by 2d90d36, back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).

Bootstrap is affected by three additional related vulnerabilities not tracked by the CVE system. Further information is linked from #27915 (comment). Should these be tracked by separate CVE numbers, and if so who do I need to notify for this?

@bardiharborow

This comment has been minimized.

Copy link
Member

commented Jan 9, 2019

I have coordinated with MITRE to issue three new CVEs as above, and have edited a number of pull requests to make clear which CVEs are involved in which. I'm waiting for confirmation from NIST/NVD on a few things, and then will be in touch with Synk to sort out their database.

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Feb 2, 2019

@bardiharborow: is this sorted out?

@bardiharborow

This comment has been minimized.

Copy link
Member

commented Feb 2, 2019

I still need to confirm that GitHub has updated their database. Perhaps @GeyseR could check on their end?

@GeyseR

This comment has been minimized.

Copy link
Author

commented Feb 3, 2019

hey @bardiharborow,
the only thing I can confirm, that the initial alert has disappeared from our repositories.
I've contacted GitHub support several times after the updated in the NIST database, so I'm not sure was this issue resolved globally in GitHub.
Thanks for your help, btw

@XhmikosR

This comment has been minimized.

Copy link
Member

commented Feb 4, 2019

OK, so I guess we can close this for now. If it's not fixed, let us know with a comment.

@XhmikosR XhmikosR closed this Feb 4, 2019

@XhmikosR XhmikosR unpinned this issue Feb 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.