-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-37598]/ Prototype pollution found in ast.js #5699
Comments
@Supraja9726 can you please explain the mechanism by which prototype pollution may occur? My initial assessment (based on literally five minutes of reading the code) is to agree with @alexlamsl that this is NOT a vulnerability because the A prototype pollution vulnerability would require some mechanism by which an attacker could inject problematic property names onto the prototype, which would require the |
FWIW - the reporter has filed many similar prototype pollution issues in other projects over the past several weeks, each associated with a CVE number, but many of which have turned out to be false positives. jdgregson has identified many of them in the comments on xmldom/xmldom#436, and I agree with his assessment that reporting security vulnerabilities based on unverified claims from a static analysis tool is frustrating to maintainers and likely harmful to the open source community. What's more, this individual appears to have filed CVE numbers for each of the reported issues before filing the GitHub issues (since the CVE-# appears in the original issue title), which is actively harmful and irresponsible without a good faith effort to create a working exploit. @Supraja9726 this behavior should be stopped, and assuming you are acting in good faith, you should personally take responsibility for updating each false positive CVE to repair some of the damage you have caused open source maintainers and users alike. In the future, you should only report issues that either (a) you have verified are likely exploitable (through deeper code analysis or a legitimate exploit) or (b) you are unsure about and are therefore posing as a question, not a statement of fact. You should also defer the creation of a CVE until sufficient verification has been performed to necessitate awareness in the wider open source community. |
Hello, The code has been flagged as a potentially vulnerable code, and the CVE has the code's sink and path details. All the reports are based on the research work of my colleague (you can find her paper's link and her contact details below) and I am reporting them here as per her analysis and records. https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - This is the published paper with the Github link to her static analysis tool. |
Hi @Supraja9726, after reading the linked paper at https://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf, I think the core problem is directly stated in the first sentence under "Limitations and Future Work":
This is precisely the case here -- the static analysis tool identified a potentially vulnerable function due to the existence of patterns like Certainly I do not dispute the following additional sentence later in the same paragraph of the paper:
However, I would accept this statement only on the condition that such identification is used to guide the search for vulnerable code. Flagging code as outlined in the paper (i.e. by using SemGrep to search vulnerable patterns) is insufficient proof for the existence of a true vulnerability, much less one warranting preemptive CVE assignment. In summary, your colleague's research (while potentially helpful) is being used in a manner inappropriate to its capability, and a large proportion of the vulnerabilities you have reported are in fact false positives, and I would guess something similar is true for the "9,858 unique detected functions for prototype pollution pattern" reported in the paper's results. I hope that you and your colleague are able to learn from this experience and use it to inform future research that can improve our collective ability to identify security vulnerabilities. At this point I think you owe it to all of us to re-verify all GitHub issues you've reported based on the results of this tool, and to retract the CVE for any issues including this one where neither you nor the maintainers (if they are willing to help you) are able to sufficiently demonstrate are true vulnerabilities that are potentially exploitable via some potentially untrusted input. |
In case it's not immediately clear, there are significant negative impacts that result from reporting vulnerabilities that turn out to be false positives:
This is why I stress that you must be certain that the project is vulnerable before claiming it as such, and if you're simply not sure, then spend some time attempting to verify it (and get a second opinion when doing so) before you file it as an issue, much less before you request a CVE number. |
@robbytx And idea how long it takes to retract this CVE? |
In my capacity as a external party, I have reported to CVE from this form the conclusion of the analyst ( @robbytx ) and the vendor ( Collaborator of this project @alexlamsl ) that CVE-2022-37598 is a false positive. |
Hi all, The BlackDuck Security advisory that is mentioned in this issue (#5781 ) has been deleted. After looking at the files, it does not appear that this should be being flagged as a vulnerability. As for the CVE, it is still currently under the "Disputed" status, hopefully the CVE will also be deleted soon and this issue can be closed. |
although it is closed, i agree with @robbytx view. @secdevlpr26 you are just creating the wrong reputation for your user, just running automated scanners and opening cves without any level of analysis. In the future, anything that you would report will be lightly considered, specially if after what everybody is reporting, you still dont pull back the cve |
CVEs are normally not deleted, just rejected or disputed. https://security.stackexchange.com/questions/203494/can-a-cve-be-removed-from-nvd-database See also the disputed and rejected status description at https://www.cve.org/ResourcesSupport/FAQs and https://nvd.nist.gov/vuln/vulnerability-status |
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/
The text was updated successfully, but these errors were encountered: