Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PRISMA-2023-0054 is asking to use Node.js 20 while it's not LTS #49012

Closed
akirafujiu opened this issue Aug 4, 2023 · 7 comments
Closed

PRISMA-2023-0054 is asking to use Node.js 20 while it's not LTS #49012

akirafujiu opened this issue Aug 4, 2023 · 7 comments

Comments

@akirafujiu
Copy link

akirafujiu commented Aug 4, 2023
edited
Loading

Version

v18.17.0

Platform

Darwin AkiranoMacBook-Pro.local 21.6.0 Darwin Kernel Version 21.6.0: Thu Jul 6 22:18:26 PDT 2023; root:xnu-8020.240.18.702.13~1/RELEASE_X86_64 x86_64

Subsystem

No response

What steps will reproduce the bug?

I believe this is not the bug for Node.js itself and this vulnerability should be there only when we use some experimental flag against Node.js 19 or something as runtime args

Security scan bot - Twistlock reported Node.js v18.17.0 is vulnerable due to following. But Node.js v20 is not LTS, so I believe we should not use them in production..

CVE: PRISMA-2023-0054
severity: M
Link: #47105
hasFix: Y
Status: fixed in 20.0.0
Description:
nodejs before 20.0.0 is vulnerable to authentication bypass. process.permission.deny() does not verify if given paths are case-sensitive or not, and thus by supplying a differently capitalized path on an OS that supports non-case-sensitive paths, the only way to properly deny a path is to deny every capitalization of said path. cvss vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

This CVE should not be given to the latest LTS.

What do you see instead?

N/A

Additional information

No response
@targos
Copy link
Member

targos commented Aug 4, 2023

I don't know what PRISMA-2023-0054 refers to, nor what is a CVE id starting with PRISMA-, but the report you got from them doesn't make sense. The permission model and process.permission do not exist in releases before v20.0.0.

@targos targos closed this as not planned Won't fix, can't repro, duplicate, stale Aug 4, 2023
@targos targos added the invalid Issues and PRs that are invalid. label Aug 4, 2023
@BethGriggs
Copy link
Member

I think @RafaelGSS has had another report of this too.

I found this when searching:

PRISMA-* IDs
You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open-source vulnerabilities, our team identifies vulnerabilities you need to be aware of and assigns PRISMA IDs to them whenever applicable.

For example, let’s review "PRISMA-2021-0020". A user found a bug in the Python package and opened an issue through its open-source repository on GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier and analyzed the correct range of affected releases. Affected customers were alerted to this vulnerability despite the lack of any public vulnerability identifier. If a CVE is ever assigned to the same vulnerability that has a Prisma ID, the CVE takes over and the PRISMA ID entry is fully replaced. Read more about the correlation between PRISMA IDs and CVEs in this blog post.

I looked to see if there was a way we could report or update the invalid information (indicating that Node.js 18 is vulnerable when it doesn't contain the feature), but I couldn't find a way to do so. Perhaps an option might be for a Prisma Cloud customer open a ticket to report it on our behalf?

@mhdawson
Copy link
Member

mhdawson commented Aug 4, 2023

@akirafujiu if your company is a customer of Twistlock the best way forward as @BethGriggs is probably to open a customer ticket asking that they fix the erroneous problem report that they have created. If you need any help in convincing them that the issue does not apply to Node.js 20.x let us know.

Can you do that?

@RafaelGSS
Copy link
Member

FWIW process.permission.deny was never released in any version of Node.js.

@akirafujiu
Copy link
Author

@mhdawson FYI @BethGriggs Yes, IBM is a customer of Twistlock to scan docker images etc. I have opened a support ticket to Prisma cloud through internal tools, and used this issue as evidence. I don't think them good to have invalid label of this issue and to be closed. could you please reopen this issue and remove that label until above CVE itself from Prisma cloud gets invalid?

@RafaelGSS Thank you for your clarification.

@BethGriggs BethGriggs removed the invalid Issues and PRs that are invalid. label Aug 7, 2023
@akirafujiu
Copy link
Author

Now Twistlock marked this CVE as invalid. Thanks for all!

@BethGriggs
Copy link
Member

Great, thank you for raising the ticket @akirafujiu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@targos @BethGriggs @mhdawson @akirafujiu @RafaelGSS