Incorrect vulnerability details

OSSIndex / vulns

Report missing advisories and corrections on OSS Index

17 stars 12 forks source link

Incorrect vulnerability details #295

Closed lostunicorn closed 1 year ago

lostunicorn commented 2 years ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2012-0022

Component URL

https://ossindex.sonatype.org/component/pkg:npm/express

Description This issue deals with CRLF characters in HTTP headers (specifically for HTTP redirects).

The express package maintainers considered the issue closed, as the invalid characters are handled by node more generically. I've checked node's handling of invalid characters in http headers and it looks like all relevant versions (I checked node versions 0.10.x, 8x, 10.x, 12.x, 14,x and 16.x) don't allow invalid characters in header names or header values.

As such, I think this vulnerability can be discarded?

ken-duck commented 2 years ago

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

ken-duck commented 1 year ago

While it is true that the vulnerability was fixed for some NodeJS versions, applications using express in conjunction with NodeJS runtime versions less than 0.9.4 remain vulnerable, therefore, sonatype-2012-0022 remains.

Our commercial products provide additional information that explains this edge case to the users, however OSS Index does not have access to that additional research. This definitely leads to confusion; luckily this is a bit of an edge case so will not happen too often.

I am opening a story in our internal system to look into making this information available in OSS Index.

sseide commented 1 year ago

+1 for Sonartype not reporting this issue anymore. This report is shown for every nodejs app using current versions of express (>24mio downloads/week as per npmjs.org)

Using a Nodejs runtime that old is a big security vulnerability in itself and noone should use such old version anymore. Even (extremly conservative) Debian ships newer versions for old-old-stable and newer...

Nodejs 0.10 was end-of-life in 2016 (https://github.com/nodejs/Release/#end-of-life-releases) - that is a lot of time to upgrade your runtime.