[GHSA-q34m-jh98-gwm2] Werkzeug possible resource exhaustion when parsing file data in forms #5124
Conversation
|
Hi there @davidism! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
defnull/advisory-improvement-5124
|
@pgjones It looks like you're the author of commit pallets/quart@abb04a5. Does pallets/quart@abb04a5 have anything to do with GHSA-q34m-jh98-gwm2? |
|
@shelbyc It does (I'm another maintainer of Quart). An additional fix was applied to Quart, but the issue was originally reported to Werkzeug and included both projects in its list. The Quart version needs to be updated here to reflect when the fix was applied. |
|
Hi @davidism, thanks for coming to the thread! It's nice to hear from you. 🙂 I'll merge this PR to list 0.20.0 as the fixed version and include the new fix commit in the references. |
advisory-database
bot
merged commit 6375b4b
into
defnull/advisory-improvement-5124
|
Hi @defnull! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
| @@ -94,7 +95,7 @@ | |||
| "cwe_ids": [ | |||
| "CWE-400" | |||
| ], | |||
| "severity": "MODERATE", | |||
| "severity": "HIGH", | |||
There was a problem hiding this comment.
This shouldn't be HIGH, I presume this was a mistake?
There was a problem hiding this comment.
Yes and no. The "Suggest improvements for this vulnerability" form marked the unchanged CVSSv4 string as invalid, probably because it does not yet support the E flag. I just toggled one of the options back and forth to get a valid string again, which removed the E:U and also the CVSSv3 score. The form seems to be quite destructive. But the available flags are all correct and unchanged, and the score "8.7 / High" matches the CVSSv4 string.
The E:U flag means "There is no exploit yet" which lowered the score, but was wrong. There was a working PoC in the original report, before the report text was completely re-written by David. The flag should be E:P and that would results in a "High" classification again.
So, this was a 'happy accident'. Unintentional, but still correct.
There was a problem hiding this comment.
The CVSSv4 value in GHSA-q34m-jh98-gwm2 and the corresponding record for https://nvd.nist.gov/vuln/detail/CVE-2024-49767 is https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N , which corresponds to 6.9 / Medium. The value that is currently in the advisory is https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U, which corresponds to 6.6 / Medium.
The CVSS 3.1 value, which was provided by NVD rather than the maintainer or GitHub, is https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H , which corresponds to 7.5 / High. NVD generally uses a "worst case scenario" approach to CVSS scoring, which sometimes leads to higher severity assessments than those chosen by the maintainers or CVE Numbering Authorities.
I can correct the CVSS to https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N to align with the repository advisory and CVE record.
There was a problem hiding this comment.
That's strange, look at the diff of this PR. The "Availability (VA)" rating in the GHSA json file was "High", not "Low". I did not change that aspect of the CVSS. The NIST listing also contains a different text (one that is more close to the original report, not the last-minute change made by David). Looks like the CVE was generated from an older version of the GHSA. So, what's correct? The exploit can be used to crash the server process (with OOM errors). That sounds pretty "Availability (VA): High" to me.
Updates
Comments
The original fix in quart was incomplete. I reported the ongoing issue again to the quart project as GHSA-ch44-gr37-mjm8, but after 7 weeks that new advisory was closed (not accepted or rejected) and a fix was then silently published as quart 0.20.0. As a result, there is an undocumented version gab between the official fix and the actual fix. Since the new advisory correcting this was closed, updating the affected versions in the existing GHSA is probably the next best thing.