oss-sec mailing list archives
Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability
From: Jacques Le Roux <jleroux () apache org>
Date: Tue, 18 Apr 2023 11:15:52 +0200
Hi Seth, I used to give more information. For this one, using our "new" internal process* (need an ASF credential) and following step 11 of**, notably <<Generally, reports should contain enough information to enable people to assess the risk the vulnerability poses for their own system, and no more.>> I restricted the information to a minimum. With a request from Arnoult (member of the ASF security team in copy), there is though 2 points that have been changed since. When sending to Mitre we replaced https://lists.apache.org/list.html?announce () apache org by https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc You can see the result at https://www.cve.org/CVERecord?id=CVE-2022-47501We also changed the "problem type" to be more specific. Following the CWE classification, we used "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading vulnerability" used by the finder who stayed as the CVE title. You can see it at https://cveawg.mitre.org/api/cve/CVE-2022-47501 which is the json version of the report.
Regarding your points: * the vulnerability was introduced long ago (years) when the plugin was created. It was around 2013. * https://ofbiz.apache.org/security.html gives indirect information about the fix. Do you suggest that we need to put a direct link like https://github.com/apache/ofbiz-plugins/commit/582add7d3 ? Thanks for the links. We will certainly consider what can be done to ease the work of downstream distributors and consumers. Jacques * https://cveprocess.apache.org/cve5/CVE-2022-47501 ** https://www.apache.org/security/committers.html#vulnerability-handling Le 18/04/2023 à 03:27, Seth Arnold a écrit :
On Mon, Apr 10, 2023 at 09:21:11AM +0000, Jacques Le Roux wrote:https://lists.apache.org/list.html?announce () apache org https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-47501Hello Jacques, thanks for contacting the oss-security mail list about this security issue in an Apache project. I'd like to suggest that your email would be far more useful if it included some details like affected versions: ideally, when a vulnerability was introduced, and definitely, when it was fixed, if a fix is available. Best would be a direct link to a patch in a source control system, or attaching the patch directly. This particular email has very few details and no references for a fix so it is very difficult for anyone to take concrete actions. Here's two recent postings that are far easier for downstream distributors and consumers alike to use: https://www.openwall.com/lists/oss-security/2023/04/04/1 https://www.openwall.com/lists/oss-security/2023/03/21/3 I'd like to encourage Apache to use these as inspiration for future oss-security postings. Thanks
Current thread:
- CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 10)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 17)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 19)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 17)