Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 Potential Violation of Secure Design Principles (CWE-657) #159

Open
huntr-helper opened this issue May 3, 2021 · 11 comments
Open

🚨 Potential Violation of Secure Design Principles (CWE-657) #159

huntr-helper opened this issue May 3, 2021 · 11 comments

Comments

@huntr-helper
Copy link

👋 Hello, @tjmehta - a potential high severity Violation of Secure Design Principles (CWE-657) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-tjmehta/101 for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.
@OmgImAlexis
Copy link

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper is there a PR to fix this?

@JamieSlome
Copy link

@OmgImAlexis - not yet!

@JamieSlome
Copy link

Do we have any updates on this?

@skarred14
Copy link

Any updates here?

This CVE is currently blocking our CI/CD: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25943

@adlawren
Copy link

adlawren commented Sep 8, 2021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25943

Just wondering, are there any updates concerning this CVE?

@OmgImAlexis
Copy link

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper is there a PR to fix this?

@huntr-helper it's been way longer than 14 days. Still no PR. 😕

@OmgImAlexis
Copy link

NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper are you going to open a PR for this? Is there anything we can do to help?

@JamieSlome
Copy link

@OmgImAlexis - it looks like no fixes have been submitted via our community.

I might recommend reaching out to @blindhacker99, who disclosed via our platform to see if they have any thoughts.

@OmgImAlexis
Copy link

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@JamieSlome might be worth removing this line from your issues then.

@JamieSlome
Copy link

@OmgImAlexis - this template has been entirely adjusted and does not follow this format anymore.

Thanks!

@blindhacker99
Copy link

Just a FYI there's a open PR is already there for keypather which also utilises the vulnerable set() method from 101. The maintainer hasn't merged the PR yet, looks he is not interested. Since keypather also utilises the vulnerable set() method from 101 so fixing it here would be effective fix.
@OmgImAlexis you can open a PR by replicating the same fix which is applied here. -tjmehta/keypather@c87c3c4

This was referenced Jan 5, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adlawren @OmgImAlexis @skarred14 @JamieSlome @huntr-helper @blindhacker99