BSI-2022-0004
Vulnerability from csaf_certbund - Published: 2022-09-01 15:22 - Updated: 2023-03-15 21:00Summary
Insufficient restrictions in validate functions of CSAF full validators
Notes
Legal disclaimer
As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.
The CSAF full validator implementations csaf-validator-lib and csaf-validator-service provided by the Secvisogram project are missing the validation of the provided test names. Updates are available.
Product description
csaf-validator-lib is a CSAF full validator written as a JavaScript library. It implements the business level tests that can be shared across application working with CSAF.
csaf-validator-service is a REST-based service used to validate documents against the CSAF standard. It uses the csaf-validator-lib under the hood which is included as a git subtree module.
{
"document": {
"acknowledgments": [
{
"names": [
"Damian Pfammatter"
],
"organization": "Cyber-Defense Campus",
"summary": "finding and reporting the vulnerabilities"
}
],
"aggregate_severity": {
"text": "Medium"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.",
"title": "Legal disclaimer"
},
{
"category": "summary",
"text": "The CSAF full validator implementations csaf-validator-lib and csaf-validator-service provided by the Secvisogram project are missing the validation of the provided test names. Updates are available."
},
{
"category": "description",
"text": "csaf-validator-lib is a CSAF full validator written as a JavaScript library. It implements the business level tests that can be shared across application working with CSAF.\n\ncsaf-validator-service is a REST-based service used to validate documents against the CSAF standard. It uses the csaf-validator-lib under the hood which is included as a git subtree module.",
"title": "Product description"
}
],
"publisher": {
"category": "coordinator",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "BSI-2022-0004 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/bsi-2022-0004.json"
},
{
"category": "external",
"summary": "Secvisogram - csaf-validator-lib repository",
"url": "https://github.com/secvisogram/csaf-validator-lib"
},
{
"category": "external",
"summary": "Secvisogram - csaf-validator-service repository",
"url": "https://github.com/secvisogram/csaf-validator-service"
}
],
"title": "Insufficient restrictions in validate functions of CSAF full validators",
"tracking": {
"current_release_date": "2023-03-15T21:00:00.000Z",
"generator": {
"date": "2023-03-15T20:55:59.580Z",
"engine": {
"name": "Secvisogram",
"version": "2.0.0"
}
},
"id": "BSI-2022-0004",
"initial_release_date": "2022-09-01T15:22:00+02:00",
"revision_history": [
{
"date": "2022-09-01T15:22:00+02:00",
"number": "1",
"summary": "Initial version."
},
{
"date": "2022-12-22T06:00:00.000Z",
"number": "2",
"summary": "Add CVEs"
},
{
"date": "2023-03-09T20:15:00.000Z",
"number": "3",
"summary": "Improve vulnerability notes"
},
{
"date": "2023-03-15T21:00:00.000Z",
"number": "4",
"summary": "Update CVSS vectors and CWEs"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c0.1.0",
"product": {
"name": "Secvisogram csaf-validator-lib \u003c 0.1.0",
"product_id": "CSAFPID-0001"
}
},
{
"category": "product_version",
"name": "0.1.0",
"product": {
"name": "Secvisogram csaf-validator-lib 0.1.0",
"product_id": "CSAFPID-0002"
}
},
{
"category": "product_version",
"name": "1.0.0",
"product": {
"name": "Secvisogram csaf-validator-lib 1.0.0",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version",
"name": "1.0.1",
"product": {
"name": "Secvisogram csaf-validator-lib 1.0.1",
"product_id": "CSAFPID-0004"
}
},
{
"category": "product_version",
"name": "1.1.0",
"product": {
"name": "Secvisogram csaf-validator-lib 1.1.0",
"product_id": "CSAFPID-0005"
}
},
{
"category": "product_version",
"name": "1.2.0",
"product": {
"name": "Secvisogram csaf-validator-lib 1.2.0",
"product_id": "CSAFPID-0006"
}
},
{
"category": "product_version",
"name": "1.3.0",
"product": {
"name": "Secvisogram csaf-validator-lib 1.3.0",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "csaf-validator-lib"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c0.1.0",
"product": {
"name": "Secvisogram csaf-validator-service \u003c 0.1.0",
"product_id": "CSAFPID-0008"
}
},
{
"category": "product_version",
"name": "0.1.0",
"product": {
"name": "Secvisogram csaf-validator-service 0.1.0",
"product_id": "CSAFPID-0009"
}
},
{
"category": "product_version",
"name": "1.0.0",
"product": {
"name": "Secvisogram csaf-validator-service 1.0.0",
"product_id": "CSAFPID-0010"
}
},
{
"category": "product_version",
"name": "1.0.1",
"product": {
"name": "Secvisogram csaf-validator-service 1.0.1",
"product_id": "CSAFPID-0011"
}
},
{
"category": "product_version",
"name": "1.1.0",
"product": {
"name": "Secvisogram csaf-validator-service 1.1.0",
"product_id": "CSAFPID-0012"
}
},
{
"category": "product_version",
"name": "1.2.0",
"product": {
"name": "Secvisogram csaf-validator-service 1.2.0",
"product_id": "CSAFPID-0013"
}
},
{
"category": "product_version",
"name": "1.3.0",
"product": {
"name": "Secvisogram csaf-validator-service 1.3.0",
"product_id": "CSAFPID-0014"
}
},
{
"category": "product_version",
"name": "1.3.1",
"product": {
"name": "Secvisogram csaf-validator-service 1.3.1",
"product_id": "CSAFPID-0015"
}
}
],
"category": "product_name",
"name": "csaf-validator-service"
}
],
"category": "vendor",
"name": "Secvisogram"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-47924",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "The `validate` function exposed by the csaf-validator-lib executes arbitrary functions that a caller passes via arguments. These functions are not restricted to a trusted and predefined set of functions to validate CSAF documents, but can run arbitrary code.",
"title": "Vulnerability summary"
},
{
"audience": "Developers that import the library",
"category": "details",
"text": "As the library should be extensible and therefore executing functions that are not defined in the library is needed. However, the default state of executing functions without any checks is a security problem.\nThis problem was tackled with a twofold approach:\n- The default behavior was changed to allow the execution of functions from the library only. If an unknown function is detected an error is thrown.\n- A new way to extend the library was build in and documented. It explicitly states the risk of arbitrary code execution and the need for a check of the function name. See https://github.com/secvisogram/csaf-validator-lib#strict-mode for more details.",
"title": "Vulnerability and remediation discussion"
}
],
"product_status": {
"fixed": [
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0001"
],
"recommended": [
"CSAFPID-0007"
]
},
"references": [
{
"category": "external",
"summary": "Strict Mode of csaf-validator-lib",
"url": "https://github.com/secvisogram/csaf-validator-lib#strict-mode"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version 0.1.0 or later.",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "Arbitrary Code Execution using the validate function of csaf-validator-lib"
},
{
"cve": "CVE-2022-47925",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "The `validate` JSON endpoint of the csaf-validator-service processes tests with unexpected names. Beside the valid test names that are defined in the csaf-validator-lib, also function names that all JavaScript object inherit, such as `constructor`, `toString`, `isPrototypeOf`, are executed. This insufficient validation of input might lead to unexpected behavior in the application.",
"title": "Vulnerability description"
},
{
"category": "description",
"text": "During the release of version 0.1.0, it was discovered that the initial version of the API and the documentation listed version 1.0.0. During the release this was changed to 0.1.0. When the release 1.0.0 was created the version changed back to 1.0.0. Therefore, users that rely on the API or documentation version and use version 1.0.0 might be vulnerable even though the first fixed version was 0.1.0. The package version in the `package.json` was only added with 0.1.0 - therefore all version that have the package version 1.0.0 in the `package.json` are not vulnerable.",
"title": "Risk of version confusion"
}
],
"product_status": {
"first_fixed": [
"CSAFPID-0009"
],
"fixed": [
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015"
],
"known_affected": [
"CSAFPID-0008"
],
"recommended": [
"CSAFPID-0015"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to version 1.0.1 or later. This also resolves the potential version confusion.",
"product_ids": [
"CSAFPID-0008",
"CSAFPID-0010"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0008"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-01T10:00:00.000Z",
"details": "There is currently no exploit known that would impact the confidentiality, integrity or availability of the corresponding service."
}
],
"title": "Insufficient Input Validation in the validate Endpoint of the csaf-validator-service"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…