Closed bhearn7 closed 3 years ago
@bhearn7 can you provide more info for PRISMA-2021-0020? I see a similar ticket against anchore-engine https://github.com/anchore/anchore-engine/issues/908 We should be able to resolve both the issues at the same time. Removing the security label and adding needs-triage for now
@nightfurys here is some additional context from the twistlock docs:
You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open source vulnerabilities, our team identifies vulnerabilities you need to be aware of, and assigns PRISMA IDs to them whenever applicable.
For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open source repository in GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier, and analysed the correct range of affected releases. Affected customers were alerted of this vulnerability despite the lack of any public vulnerability identifier.
If a CVE is ever assigned to a same PRISMA vulnerability, the CVE takes over and the PRISMA entry is fully replaced by it.
Additional description from prisma cloud tool:
The package does not properly create temporary files and uses tempfile.mktemp(), which allows a local attacker to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. Creating temporary files using insecure methods exposes the application to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted.
It appears the issue was fixed in click-8.0, which is out now:
New CVE found in "Twistlock" scan:
Version: Anchore CLI 0.9.1 ID: PRISMA-2021-0020 CVSS: 0 Description:
empty
Link:empty
Package Name: click Package Version: 7.0 Severity: medium Status: Fixed in 8.0.0SBOM > Files: