Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address issue with incorrect open CVE-2019-10226 #1235

Closed
steveyken opened this issue Feb 21, 2024 · 6 comments
Closed

Address issue with incorrect open CVE-2019-10226 #1235

steveyken opened this issue Feb 21, 2024 · 6 comments
Assignees
@steveyken

Comments

@steveyken
Copy link
Member

Back in 2019, a post appeared incorrectly claiming to have found a vulnerability in Fat Free CRM: http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html

This claim was submitted to the Fat Free CRM security mailing list at the time and was checked out. It was found to be false positive but for some reason, a CVE had already been requested by the original poster (not by the FFCRM team). The poster was asked to close the CVE, but I have now realised this never happened and the CVE is currently still open.

This CVE has now made its way into GitHub's security database and various tools that depend on it are flagging current versions of Fat Free CRM as erroneously having a vulnerability (e.g. bundle-audit).

I've raised a PR for the GHSA asking for it to be removed but was advised that we need to contact MITRE as they are the original assigning entity.

Action: Request an update to an existing CVE Entry by using the form at https://cveform.mitre.org/

This ticket is here to track my progress.

References:
@steveyken steveyken self-assigned this Feb 21, 2024
@steveyken
Copy link
Member Author

steveyken commented Feb 22, 2024
edited
Loading

More details: the CVE was requested by the reporter who posted his findings here - http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html

However, the report incorrectly asserts that entering < h1 > into a comment box and seeing that text rendered on screen proves a HTML injection vulnerability. In fact, the user entered data is sanitized on output (default behavior for Rails applications) and harmful tags are removed. See the code here to confirm: https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2 which uses RedCloth markdown or Rails simple_format helper which both perform sanitization. https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format

@steveyken
Copy link
Member Author

Note that this GitHub comment box exhibits the same behaviour. It allows comment text with < h1 > to be rendered as HTML but rejectss < script > tags and other potentially dangerous elements.

Test

@steveyken
Copy link
Member Author

I have submitted the above as a request for CVE rejection

@CloCkWeRX
Copy link
Member

CloCkWeRX commented Feb 22, 2024
edited
Loading

I feel I removed redcloth as it had its own issues at some point (not in gemfile.lock)

Edit: thinking of different project and jgarber/redcloth#73

@steveyken
Copy link
Member Author

Great, that's helpful to know. That RedCloth issue is for a ReDOS problem which was addressed in v4.3.3 and not related to the HTML injection assertion of the CVE here. I've checked Gemfile.lock and confirm RedCloth is no longer there and our code has always used Rails simple_format which sanitizes HTML.

So, in summary, we've not been vulnerable to HTML injection, but in the past there has been a related RedCloth issue involving ReDOS.

@steveyken
Copy link
Member Author

The upstream CVE and GHSA have been ammended and withdrawn now.

GHSA-gmg5-r3c4-3fm9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steveyken steveyken

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steveyken @CloCkWeRX