oss-sec mailing list archives
Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability
From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 19 Apr 2023 01:29:30 +0000
On Tue, Apr 18, 2023 at 11:15:52AM +0200, Jacques Le Roux wrote:
I used to give more information. For this one, using our "new" internal process* (need an ASF credential) and following step 11 of**, notably <<Generally, reports should contain enough information to enable people to assess the risk the vulnerability poses for their own system, and no more.>> I restricted the information to a minimum.
Hello Jacques, thanks for the reply. I'd like to suggest that this policy should receive a review, as other list members have found the Apache defaults a bit wanting: https://www.openwall.com/lists/oss-security/2023/01/31/7 https://www.openwall.com/lists/oss-security/2022/10/12/2 https://www.openwall.com/lists/oss-security/2022/08/26/4 https://www.openwall.com/lists/oss-security/2022/01/25/15
When sending to Mitre we replaced https://lists.apache.org/list.html?announce () apache org by https://lists.apache.org/thread/k8s76l0whydy45bfm4b69vq0mf94p3wc You can see the result at https://www.cve.org/CVERecord?id=CVE-2022-47501
This is nice, and friendly.
We also changed the "problem type" to be more specific. Following the CWE
classification, we used "CWE-22 Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal')" rather than "Arbitrary file reading
vulnerability" used by the finder who stayed as the CVE title. You can see
it at https://cveawg.mitre.org/api/cve/CVE-2022-47501 which is the json
version of the report.
This is also nice and friendly.
Regarding your points: * the vulnerability was introduced long ago (years) when the plugin was created. It was around 2013.
This information is gold!
* https://ofbiz.apache.org/security.html gives indirect information about the fix. Do you suggest that we need to put a direct link like https://github.com/apache/ofbiz-plugins/commit/582add7d3 ?
The link to the security page is a good start; it's even one of the better security.html pages I've seen. (Thanks!) But we've all spent too much time trying to figure out what exactly might have been "the intended content" on a page five or ten years later. Having more specific information (such as the "582add7d3" here) directly available in the list archives will simplify future searches for information.
Thanks for the links. We will certainly consider what can be done to ease the work of downstream distributors and consumers.
Thank you :)
Attachment:
signature.asc
Description:
Current thread:
- CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 10)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 17)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 19)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Jacques Le Roux (Apr 18)
- Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability Seth Arnold (Apr 17)