bethesque
commented
2 years ago Hi,
I have summarised the vulnerabilities below.
| Compontent | Version | Notes |
|---|---|---|
| Bootstrap (Twitter) | 2.3.1 | Brought in by the HAL Browser (external component, can be disabled) |
| jQuery | 1.10.2 | Brought in by the HAL Browser (external component, can be disabled) |
| Underscore.js | 1.4.4 | Brought in by the HAL Browser (external component, can be disabled) |
| URIjs | 1.14.1 | Brought in by the HAL Browser (external component, can be disabled) |
| ruby-i18n | 1.8.10 | Have updated the Gemfile.lock, this will be fixed in the next docker image release. |
| vmg/redcarpet | 3.3.2 | Installed version is 3.5.1 - result seems like a false positive |
As mentioned in the notes, the HAL Browser is an open source component written by another developer. It has not been updated since 2017, hence the reason it is stuck on old versions of boostrap and jquery. Updating it would probably not be too hard, but it's difficult to estimate, and it's not likely to be work I'll be able to pick up in the next few months. I cannot give you a time line on this unfortunately.
This component, however, can be disabled by setting use_hal_browser to false as per the settings documentation . (That particular setting is not documented as I couldn't think of a reason why anyone would want to disable it, but it's handy now).
due to the potential for an attacker to harvest credentials through the browser.
Luckily, there are no credentials to harvest, as the OSS Pact Broker only comes with basic auth users.
mefellows
mileyd
Pre issue-raising checklist
I have already (please mark the applicable with an
x):Software versions
Expected behaviour: No security vulnerabilities in the image. Actual behaviour: Hi Team
I represent the Universal Credit project, which is the largest project running in the Department of Work and Pensions in the UK. I have been asked to highlight some security issues that we are concerned about in relation to the PactBroker product.
The latest version of the container has been put through a BlackDuck scanning process, which all our containers are obliged to go through. On doing so, there are quite a few security and operational risks identified. Please see attached reports and screenshot.
For us, the security risks are the main concern. The CSS vulnerabilities highlighted are a concern, due to the potential for an attacker to harvest credentials through the browser. Of secondary importance are the operational risks, which show quite a few of the dependencies on which the product is based, being over a year and sometimes over two years old.
Looking at most of these risks, they can be addressed by upgrading to the latest versions of the dependencies.
We would like to ask if it would be possible for you to address these issues at some point. If you could give us some indication of whether that’s possible, and any timescales associated with that, that would be very much appreciated.
Steps to reproduce NA Relevent log files Please see attached security scan result pact_broker_2021-11-02-default_2021-11-02_162649.zip
s.