Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github considers bootstrap 3.4.0 as insecure #27915

Closed
GeyseR opened this issue Dec 23, 2018 · 19 comments
Closed

Github considers bootstrap 3.4.0 as insecure #27915

GeyseR opened this issue Dec 23, 2018 · 19 comments
Assignees

Comments

@GeyseR
Copy link

GeyseR commented Dec 23, 2018

Github considers Bootstrap 3.4.0 an insecure dependency via its security vulnerability alerts tool. It points to the NVD CVE-2018-14041 page, which shows that only >4.1.2 is secure. Is 3.4.0 safe to use as it has a fix for the npm:bootstrap:20160627 vulnerability or it is something different?

A screenshot from one of our private projects:

image

@GeyseR GeyseR changed the title Github consider bootstrap 3.4.0 as insecure Github considers bootstrap 3.4.0 as insecure Dec 23, 2018
@XhmikosR
Copy link
Member

I guess someone should submit info that this was also fixed in 3.4.0.

@twbs twbs deleted a comment from GeyseR Dec 24, 2018
@bardiharborow bardiharborow self-assigned this Dec 24, 2018
@bardiharborow
Copy link
Member

I've sent this off to NIST, who I believe is the responsible party for vulnerable version information:

I'm writing to inform you that the fix for CVE-2018-14041 has been cherry-picked into the Bootstrap v3.4.0 release. The vulnerable versions are now represented by (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2). You may verify my identity against <https://github.com/orgs/twbs/people> and the fix against <https://github.com/twbs/bootstrap/releases/tag/v3.4.0> and <#27047>. This is my first interaction with your registry, so my apologies if this enquiry is misplaced. Thank you for your time.

@XhmikosR
Copy link
Member

Thanks @bardiharborow, let us know how it goes.

@XhmikosR
Copy link
Member

Does GitHub still warn about this?

@bardiharborow
Copy link
Member

NIST got back to me 9 hours ago with:

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After review of the CVEs, the information provided, and the configurations we have made the appropriate modifications. Please allow up to 24 hours for these changes to populate on the website and in the data feeds.

@XhmikosR, do you know why https://snyk.io/vuln/npm:bootstrap:20160627 says < 4.0.0-beta.2 whereas NIST says < 4.1.2? I can see that #23679 was merged in 4.0.0-beta.2, so I'm not sure where NIST got 4.1.2 from...

@XhmikosR
Copy link
Member

@bardiharborow: nope. I don't know where they get the info from. One of the two is wrong :P

@xhocquet
Copy link

xhocquet commented Jan 3, 2019

Hey there, hoping to get an additional update added here.

A member of the Debian LTS team checked out earlier versions of bootstrap (one of which we are using) and declared it did not contain the vulnerability: #26627 (comment)

Compare that to the current vulnerability entry: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#VulnChangeHistorySection

Specifically, my company is still using 3.3.7 and is not prepared to upgrade. Github's vulnerability tracker uses this database to notify us that our project is insecure, however based on what I've seen that is not the case.

If a member of the team could confirm the statement by the Debian team member, as well as contact [email protected] regarding any updates, I'm sure many developers would appreciate removing a warning from their Github repos and other security auditing tools using this database.

@XhmikosR
Copy link
Member

XhmikosR commented Jan 3, 2019

3.3.7 is affected. 3.4.0 is not.

@wolfy1339
Copy link
Contributor

I have some more info for you guys, Snyk seems to get their info from CVE database at https://cve.mitre.org so they need to be contacted as well.
Here is their page that explains how to request an update: https://cve.mitre.org/cve/update_cve_entries.html

@divyanshugrover
Copy link

https://nvd.nist.gov/vuln/detail/CVE-2018-14040 and https://nvd.nist.gov/vuln/detail/CVE-2018-14042 still show bootstrap 3.4.0 as affected, but I can see the updated changes for https://nvd.nist.gov/vuln/detail/CVE-2018-14041.
I can also see in #27047 that fixes for 14040 and 14042 were included in v3.4.0-dev branch, which ended up into the release branch for 3.4.0.

If the above is correct, @bardiharborow can you please intimate the same to NIST for 14040 and 14042 as well. Thanks!

@bardiharborow
Copy link
Member

bardiharborow commented Jan 8, 2019

Okay, I've worked out what's happening here:

@Johann-S are you perhaps able to confirm that the patches which have not been backwards or forwards ported do not need to be?

@XhmikosR XhmikosR pinned this issue Jan 8, 2019
@Johann-S
Copy link
Member

Johann-S commented Jan 8, 2019

Hi @bardiharborow

  • CVE-2018-14041 wasn't back-ported because there is no XSS in v3 (see: https://jsbin.com/kicedoniya/edit?html,output which use v3.3.7) and there was one in v4
  • Tooltip data-viewport not forward-ported because this option do not exist in v4
  • Affix config target not forward-ported because the Affix plugin do not exist in v4

@bardiharborow
Copy link
Member

Email to NIST:

Due to confusion between six related vulnerabilities, my previous advisory was issued against an incorrect CVE number and needs to be retracted. My sincere apologies. The following reflects my audit of the repository history this morning:

  • CVE-2018-14040 (collapse data-parent) was fixed in v4.1.2 by 1490960, and back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).
  • CVE-2018-14041 (scrollspy data-target) was fixed in v4.1.2 by cc61edf, and not back-ported because it does not affect the v3 line. It therefore affects versions (4.0.0-alpha <= x < 4.1.2).
  • CVE-2018-14042 (tooltip data-container) was fixed in v4.1.2 by 2d90d36, back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).

Bootstrap is affected by three additional related vulnerabilities not tracked by the CVE system. Further information is linked from #27915 (comment). Should these be tracked by separate CVE numbers, and if so who do I need to notify for this?

@bardiharborow
Copy link
Member

bardiharborow commented Jan 9, 2019

I have coordinated with MITRE to issue three new CVEs as above, and have edited a number of pull requests to make clear which CVEs are involved in which. I'm waiting for confirmation from NIST/NVD on a few things, and then will be in touch with Synk to sort out their database.

@XhmikosR
Copy link
Member

XhmikosR commented Feb 2, 2019

@bardiharborow: is this sorted out?

@bardiharborow
Copy link
Member

I still need to confirm that GitHub has updated their database. Perhaps @GeyseR could check on their end?

@GeyseR
Copy link
Author

GeyseR commented Feb 3, 2019

hey @bardiharborow,
the only thing I can confirm, that the initial alert has disappeared from our repositories.
I've contacted GitHub support several times after the updated in the NIST database, so I'm not sure was this issue resolved globally in GitHub.
Thanks for your help, btw

@XhmikosR
Copy link
Member

XhmikosR commented Feb 4, 2019

OK, so I guess we can close this for now. If it's not fixed, let us know with a comment.

@XhmikosR XhmikosR closed this as completed Feb 4, 2019
@XhmikosR XhmikosR unpinned this issue Feb 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants