search

fecgov / openFEC

The first RESTful API for the Federal Election Commission. We're aiming to make campaign finance more accessible for journalists, academics, developers, and other transparency seekers.
https://api.open.fec.gov/developers
Other
479 stars 106 forks source link

[SNYK: MEDIUM] (flyway) Information Exposure (2) (Due 1/29 #5289

Closed cnlucas closed 1 year ago

cnlucas commented 1 year ago

Detailed paths

Introduced through: unknown:unknown@0.0.0 › org.flywaydb:flyway-commandline@9.7.0 › com.h2database:h2@2.1.214

Security information Factors contributing to the scoring:

Snyk: [CVSS 5.3](https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-3146851) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.

Vendor Statement: This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that.

Detailed paths

Introduced through: unknown:unknown@0.0.0 › org.flywaydb:flyway-commandline@9.7.0 › org.postgresql:postgresql@42.4.1

Security information Factors contributing to the scoring:

Snyk: [CVSS 4.7](https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-3146847) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Information Exposure in the pgjdbc driver, which writes to the operating system's shared temp directory when the InputStream to either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) is larger than 2K. The temporary file is readable by other users. This is the default system behavior on Unix systems but not on MacOS.

NOTE: This vulnerability is only fixed for JDK 1.7. Systems using JDK 1.6 or below can work around the vulnerability by setting the environment variable java.io.tmpdir to a non-world-readable location.

Completion criteria:

pkfec commented 1 year ago

flyway upgraded to v9.10.1 in pr https://github.com/fecgov/openFEC/pull/5301