Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Disclosure: lxml CVE #3402

Closed
bryanculver opened this issue Mar 8, 2023 · 1 comment
Closed

Security Disclosure: lxml CVE #3402

bryanculver opened this issue Mar 8, 2023 · 1 comment
Assignees
@bryanculver
Labels
security disclosure Public record of a security disclosure, including impact analysis and outcome.

Comments

@bryanculver
Copy link
Member

This issue was created in response to a report to our security mailer.

Internal reference for this disclosure is NAUTOBOT-735.

In the belief of strong transparency, we record this here to publicly acknowledge our receipt of this disclosure, our investigation, our summary, and ultimate outcome.

The Report

Hello

I installed the poetry audit plugin and it shows me the following vulnerability (nautobot / develop)

poetry-audit-plugin 0.3.0 Poetry plugin for checking security vulnerabilities in dependencies

Maybe this scan could be part of the CI pipeline?

poetry audit
# poetry audit report
Loading...
Scanning 206 packages...
 
  • lxml  installed 4.6.5  affected <4.9.1  CVE CVE-2022-2309

The Analysis

On investigation this is due to social-auth-core (a direct Nautobot dependency) still not shipping a release that relaxes a rigid restraint on lxml < 4.7. We investigated this when it was reported and unfortunately, Poetry will reject our override of this with dependency mismatch (we have no direct dependency on lxml).

social-auth-core’s dependency tree: https://libraries.io/pypi/social-auth-core/4.3.0/tree
Related issue: python-social-auth/social-core#659

It seems that was recently addressed (this Jan) but has yet to see a release: python-social-auth/social-core#738

Our Summary

Nautobot does not use lxml directly and does not handle the concerning payloads directly. Limited to social-auth-core's use should be minimal concern and ultimately had a breaking impact to use with SAML providers if updated (details in related issue above).

Once a release of social-auth-core is available that no longer requires the lxml < 4.7 we will promptly update and publish a release in accordance to our normal dependency update policy.

Going Forward

We will continue use Dependabot which monitors all of our dependencies for CVEs, even if we can’t address them. Thank you for the suggestion for poetry-audit-plugin but we cannot address this CVE until it is addressed upstream.
@bryanculver bryanculver added the security disclosure Public record of a security disclosure, including impact analysis and outcome. label Mar 8, 2023
@bryanculver bryanculver self-assigned this Mar 8, 2023
@github-project-automation github-project-automation bot moved this from To Groom to Done in Nautobot Core ⚙️ Mar 8, 2023
@bryanculver
Copy link
Member Author

Update: this was addressed in #3706.

@bryanculver bryanculver mentioned this issue May 11, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bryanculver bryanculver

Labels
security disclosure Public record of a security disclosure, including impact analysis and outcome.
Projects
No open projects
Nautobot Core ⚙️
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bryanculver