search

anchore / anchore-cli

Simple command-line client to the Anchore Engine service
Apache License 2.0
114 stars 54 forks source link

review/address PRISMA-2021-0020 for next release #167

Closed bhearn7 closed 3 years ago

bhearn7 commented 3 years ago

New CVE found in "Twistlock" scan:

Version: Anchore CLI 0.9.1 ID: PRISMA-2021-0020 CVSS: 0 Description: empty Link: empty Package Name: click Package Version: 7.0 Severity: medium Status: Fixed in 8.0.0

SBOM > Files:

nightfurys commented 3 years ago

@bhearn7 can you provide more info for PRISMA-2021-0020? I see a similar ticket against anchore-engine https://github.com/anchore/anchore-engine/issues/908 We should be able to resolve both the issues at the same time. Removing the security label and adding needs-triage for now

bhearn7 commented 3 years ago

@nightfurys here is some additional context from the twistlock docs:

You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open source vulnerabilities, our team identifies vulnerabilities you need to be aware of, and assigns PRISMA IDs to them whenever applicable.

For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open source repository in GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier, and analysed the correct range of affected releases. Affected customers were alerted of this vulnerability despite the lack of any public vulnerability identifier.

If a CVE is ever assigned to a same PRISMA vulnerability, the CVE takes over and the PRISMA entry is fully replaced by it.

Additional description from prisma cloud tool:

The package does not properly create temporary files and uses tempfile.mktemp(), which allows a local attacker to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. Creating temporary files using insecure methods exposes the application to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted.

It appears the issue was fixed in click-8.0, which is out now: