Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization Bypass Vulnerability - v1.14.1 #1242

Closed
vwatel opened this issue Aug 4, 2020 · 4 comments
Closed

Authorization Bypass Vulnerability - v1.14.1 #1242

vwatel opened this issue Aug 4, 2020 · 4 comments

Comments

@vwatel
Copy link

vwatel commented Aug 4, 2020

Q A
Bug report? no
Feature request? no
BC Break report? no
RFC? yes

I'm currently using the version 2.4.4 of the bundle https://github.com/schmittjoh/JMSSerializerBundle.
This version requires the following constraint on the jms/serializer dependency: ^1.10 (https://github.com/schmittjoh/JMSSerializerBundle/blob/2.4.4/composer.json#L20) => The exact version of the serializer dependency that is used is 1.14.1.
During software composition analysis scan, using Veracode, the following vulnerability popped up for that version: https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-5185/summary.

Does someone knows more details about this vulnerability? And what kind of updates have been done so the vulnerability seems to be gone since the version 2.0.0?

I'm looking at the possibilities because this will maybe be not that easy to upgrade to the version 2.0.0 since the bundle is used through another dependency (Sylius eCommerce platform, where I'm also looking at this with them to upgrade the version of the bundle used)

Thank you in advance for your inputs & help.

Steps required to reproduce the problem

n/a

Expected Result

n/a

Actual Result

n/a
@goetas
Copy link
Collaborator

goetas commented Aug 4, 2020

Hi.
Thanks for reporting this. I'm not aware of such vulnerability or something related. Serialization groups are one of the most used jms features and if there was a bug, it will be already exploited in the wild. In most of the cases possible exploits are related on how the other projects are using this library. Did you try reporting this to the Sylius team?

Do you know which sources are used by sca.analysiscenter.veracode.com to locate possible vulnerabilities?

@vwatel
Copy link
Author

vwatel commented Aug 4, 2020

Hi @goetas

Thank you for your answer. Indeed, I was also a bit surprised to see such vulnerability because I've never seen this before and I didn't find any further information about it.
I did report it to the Sylius team, I'm currently looking at this with them so we can see what are the possibilities to move forward.
Unfortunately I don't know the sources they are using, but I'm about to ask them and I'll get back you once I know more.

@vwatel
Copy link
Author

vwatel commented Aug 17, 2020

Hi @goetas

I got an answer from Veracode support team.
It seems that the vulnerability still exists and the possible patch could be the following: #812.
What is your thinking about that?

Thank you.

@goetas
Copy link
Collaborator

goetas commented Aug 23, 2020

solved in #1246

@goetas goetas closed this as completed Aug 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goetas @vwatel