|
|
Kurt – We replied directly to your email earlier, but to repeat for the benefit of the other Board members: The CVE team is working on issues relating to scope and responsibility for CVE/DWF ID issuing, and would welcome a discussion with you on the subject. Although the CVE Editorial Board is discussing the issue, specific questions like these
are best addressed to cve-assign@mitre.org, where you can engage directly with our analysts.
The CVE Team From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Kurt Seifried Mitre: do you want me to take this as a PoC for the DWF, or can I ask for these on oss-security@? Overview: The inert directory handler always allows files in hidden directories to be served, even when <code>showHidden</code> is false. Overview: It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)"
[1] Overview: Marked 0.3.3 and earlier is vulnerable to regular _expression_ denial of service (ReDoS) when certain types of input are passed in to be parsed. Overview: paypal-ipn uses the <code>test_ipn</code> parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. Overview: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to
cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring. Overview: Certain input when passed into remarkable will bypass the bad prototcol check that disallows the _javascript_: scheme allowing for _javascript_: url's to be injected into the rendered content. Overview: semver is vulnerable to regular _expression_ denial of service (<a href="" href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">ReDoS</a>)
when extremely long version strings are parsed. Overview: When using serve-index middleware version < 1.6.3 file and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack. Overview: The below overview of the issue is quoted from <a href="" href="https://github.com/substack/node-browserify/blob/master/changelog.markdown#421">https://github.com/substack/node-browserify/blob/master/changelog.markdown#421">https://github.com/substack/node-browserify/blob/master/changelog.markdown#421</a> Overview: <a href="" href="https://github.com/mishoo/UglifyJS2/issues/751">https://github.com/mishoo/UglifyJS2/issues/751">Tom MacWright</a> discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which
allows a specially crafted _javascript_ file to have altered functionality after minification. This bug was <a href="" href="https://zyan.scripts.mit.edu/blog/backdooring-js/">https://zyan.scripts.mit.edu/blog/backdooring-js/">demonstrated</a> by <a href="" href="https://twitter.com/bcrypt">https://twitter.com/bcrypt">Yan</a>
to allow potentially malicious code to be hidden within secure code, activated by minification. Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based
it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of Overview: Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1] Overview: ms is vulnerable to regular _expression_ denial of service (ReDoS) when extremely long version strings are parsed. Overview: uglify-js is vulnerable to regular _expression_ denial of service (ReDoS) when certain types of input is passed into .parse(). Overview: Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. Overview: When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then
retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. Overview: secure-compare 3.0.0 and below do not actually compare two strings properly. Overview: ansi2html is vulnerable to regular _expression_ denial of service (ReDoS) when certain types of user input is passed in. Overview: jadedown is vulnerable to regular _expression_ denial of service (ReDoS) when certain types of user input is passed in. Overview: jshamcrest is vulnerable to regular _expression_ denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. Overview: moment is vulnerable to regular _expression_ denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time. Overview: The send module < 0.11.1 discloses the root path. Overview: The <code>tar</code> module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction. Overview: Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in. Overview: Not using quotes around your attributes in handlebar templates, could lead to content injection. Overview: Not using quotes around your attributes in mustache templates, could lead to content injection. Overview: Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket
open until timed out (default node timeout is 2 minutes). Overview: Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since
header. Overview: When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin)
would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins <code>*</code>). Overview: Keys of objects are not escaped with <code>mysql.escape()</code> which could lead to SQL Injection. Overview: UPDATE Jan 6, 2016 Overview: A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory. Overview: The dns-sync library for node.js allows resolving hostnames in a synchronous fashion Overview: Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. Overview: Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth. Overview: It is possible to block the event loop when specially crafted user input is allowed into a validator using the <code>utc-millisec</code> format. Overview: Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1. Overview: A REST API endpoint that is used for development was not disabled in production environments. This endpoint would allow filling up storage on the server creating a possible denial of service condition and enable XSS attacks via
content injection. Overview: When attempting to allow "try" mode in <a href="" href="https://www.npmjs.com/package/hapi">https://www.npmjs.com/package/hapi">hapi</a> hapi-auth-jwt2 5.1.1 introduced an issue whereby people could bypass authentication. Overview: A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. Overview: The riot-compiler version version 2.3.21 "has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions" Overview: restafary is able to set up a root path, which should only allow it to run inside of that root path it specified. An attacker is able to provide a specifically crafted path to access files outside of this specified root path. Overview: Droppy versions <=3.4.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For
example this means the malicious user could add a new admin account under his control and delete others. Overview: The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and
intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS. Overview: Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as <code>../</code> to read files outside of the served directory. -- |