Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High Severity Security vulnerability with package #34

Open
charlieTheBotDev opened this issue Feb 17, 2021 · 20 comments
Open

High Severity Security vulnerability with package #34

charlieTheBotDev opened this issue Feb 17, 2021 · 20 comments

Comments

@charlieTheBotDev
Copy link

Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765

@SymbioticKilla
Copy link

@goto-bus-stop can it be fixed? Thanks!

@goto-bus-stop
Copy link
Member

It's a false positive.

@andyedwardsibm
Copy link

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ...

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast)

... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it

@goto-bus-stop
Copy link
Member

goto-bus-stop commented Feb 17, 2021

I see, I thought it was the same as this: 418sec/huntr#1883. That PR had omitted the quotes.

It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security

@cgonzalezp91
Copy link

This issue is also in NVD-CVE-2021-23334.
It’s giving some hard times to other libraries, in my case, pdfmake, it’s a high vulnerability issue reported by npm and it’s being blocked by systems that handle this type of package.

Any workaround that we can use or possibly for a solution?

@goto-bus-stop
Copy link
Member

i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days.

@cakenyo
Copy link

cakenyo commented Mar 28, 2021

Any more info about the CVE revoke?

@SymbioticKilla
Copy link

Is already revoked. WhiteSource at least doesn't show it as CVE anymore.

@carnil
Copy link

carnil commented Mar 28, 2021

@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry.

@namtx
Copy link

namtx commented Apr 20, 2021

Do we have any update?

@Garbee
Copy link

Garbee commented Apr 29, 2021

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860

Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this.

@snoopysecurity
Copy link

snoopysecurity commented Apr 29, 2021

Hey @Garbee, thanks for raising this issue, yep i agree, anything going into evaluate should not be trusted and is not the responsibility of the maintainer sanitise user input. This was added by Snyk by mistake, apologies for the spam. I will revoke the CVE and mark any Snyk references as False positive. (Expect this change in the next 24 hours)

@alasdairhurst
Copy link

alasdairhurst commented Apr 30, 2021

Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :(

I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334
you will need to post a request here asking for a CVE update and then asking the CVE to be revoked.
https://cveform.mitre.org/

@snoopysecurity
Copy link

snoopysecurity commented Jun 24, 2021

Hey, after contacting MITRE through multiple channels, CVE-2021-23334 has been marked as rejected/revoked. Hope this helps. This issue can be closed

@SymbioticKilla
Copy link

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit >
linebreak > brfs > static-module > static-eval

@leonardomaier
Copy link

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same problem here =(

@kmannislands
Copy link

For those commenting about failing npm/yarn audits suddenly today, I suspect this has to do with the background change to the npm advisories database which now points to the github advisories db: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Not sure what to do with this info yet but an fyi @leonardomaier @SymbioticKilla

@JingBluestone
Copy link

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same issue here also. Any update?

@goto-bus-stop
Copy link
Member

this package is very stable and the only maintenance effort is in dealing with bogus security warnings. idk why npm doesn't just allow you to silence warnings that are clearly bullshit instead of forcing us to do useless work. i guess i'll email them about this one…

@DarthVitalus
Copy link

for folks who use auditjs: use whitelisting

  1. just add a file auditjs.json to your folder, where you run auditjs command with the following content:
    { "ignore": [ { "id": "CVE-2021-23334", "reason": "any reason you want" } ] }

  2. run audit command: npx auditjs ossi --whitelist /path/to/file/auditjs.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests