GSA / data.gov

Main repository for the data.gov service
https://data.gov
Other
649 stars 102 forks source link

[2023.08.28] Invicti Scan Catalog MongoDB Vulnerability #4439

Closed nickumia-reisys closed 1 year ago

nickumia-reisys commented 1 year ago

_Please keep any sensitive details in Google Drive._

Date of report: 2023.08.28 Severity: HIGH Due date: 2023.09.28

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

https://docs.google.com/document/d/1rW0VOzfCrjXOI0O1gTAOm225_fTbu5Cjrg7yJTYYBBg/edit#heading=h.df0ffb7howvl

nickumia-reisys commented 1 year ago

False alarm. We do not have a MondoDB instance in our application stack.

nickumia-reisys commented 1 year ago

Follow-on conversation: https://gsa-tts.slack.com/archives/C2N85536E/p1695315668061409

FuhuXia commented 1 year ago

Same vulnerability shows up again in SecOps Invict September 2023 report, claiming first seen 9/9/23.