-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip-audit flagging aiohttp: https://github.com/advisories/GHSA-rwqr-c348-m5wr #6801
Comments
I thought that issue is just that a ValueError is being thrown. I feel like an app is poorly designed if throwing a ValueError can cause a DoS. Maybe I'm misunderstanding something, but I'm not seeing why this has been assigned a moderate vulnerability rating. @webknjaz Has this already been highlighted to you via email? I'm not listed on the security policy, so maybe there's more information that I've not seen. |
I haven't seen anything related in my inbox. So far, I don't see any evidence of a security issue in the submitted issues 🤷♂️. |
Perhaps one of the project's devs could email [email protected] and ask what the security issue is? The status given at https://nvd.nist.gov/vuln/detail/CVE-2022-33124 is
which makes me wonder what their process is, as it seems to cause unnecessary concern to list something as a "vulnerability" without giving any more context than
|
@jrobbins-LiveData I have a strong feeling that some random GitHub user created that advisory on GitHub and since GitHub can issue CVE numbers, it did so.
This description looks rather bizarre to me. A person experienced with describing security vulnerabilities wouldn't make such silly mistakes. What does "aiohttp contains invalid IPv6 URL" even means? It doesn't "contain" URLs — the end-user apps/configs may. It's a framework, after all. |
This patch removes a nonsense "advisory" from the index. Ref: aio-libs/aiohttp#6801 (comment) Signed: an aiohttp maintainer.
@webknjaz according to the NIST website, the CVE "Source" is "MITRE", which is not a random user. The website has a feedback link, so I submitted feedback (choosing "Request an update to an existing CVE Entry") requesting that that odd phrase "aiohttp contains invalid IPv6 URL" be clarified and offered my opinion that there was no issue here. I received this auto-response:
While I agree 100% that this issue looks to be a misunderstanding, and this a pseudo-issue, and wonder what the process control checks are on this CVE process, I don't think we can simply ignore it. Rather, I think we need to get it corrected or expunged. I strongly urge you (I'm presuming you are one of the qualified devs of this repo?) to also file a report at https://cveform.mitre.org/ or take any other formal measures to get this report removed. |
Interesting, although it doesn't seem to provide any proof or explanation either.
Well, I've started here: github/advisory-database#444 / github/advisory-database#445.
Yeah, it's weird that it's coming from MITRE. It's true that the last time I filed a CVE through GitHub it showed up as coming from
Yes, I am one of the core maintainers. But I've been having a lot on my mind recently with not much energy for FOSS so I haven't been as involved these these recent months. I'll see what I can do. |
@webknjaz I truly apologize for not knowing your circumstances. Please let me know if I can do any of the leg work in tracking down the process at Mitre that led to this. |
On re-reading the issue #6772 (comment), I see that the issue has this phrase in it
Perhaps MITRE is using some bot and surfaced this issue? It might make sense to address this issue and close it? |
No worries, thanks for understanding! And yes, it'd be helpful if somebody more familiar with how MITRE operates could shed some light on why this happened.
That's an interesting idea. Although it never occurred to me that spam CVEs are a thing. If the bot theory is correct, this would probably mean that the process is rather broken — it seems like GitHub is marking the CVEs as manually reviewed: github/advisory-database@f550c16#diff-bb93cb225bc1240a376f8a9f507326679be13265e96894dd78488990d8ba2826. This has an implication of "a human looked at the thing and decided it's valid". But if they're blindly exporting the data and auto-add a "seal-of-approval", well that'd indicate more problems in the pipeline than I originally anticipated... And yes, it always does make sense to address the bugs. But that issue does not really describe a bug — it does not demonstrate any reproducer code, nor does it clearly state why the reporter thinks it's a problem. So it's rather hard to resolve something that would only be based on a series of guesses nobody is able to verify. |
I just noticed that there's an update there:
Now it says:
(emphasis mine) |
Section |
So it seems that per the following point of section 7.1, the CVE should've never been assigned:
(since nobody actually attempted to have a dialogue with us, to the best of my knowledge) I wonder if I email them too, will they update that "multiple third parties" to "the core developers"? |
Section 9 outlines an appeals process:
This appears to be a formal way you can weigh in. If you have time, I recommend you do so as soon as possible. |
Ah, I've just submitted that form but with the "Update request" selected. There was a "Reject CVE" which I selected in a drop-down that appeared later. |
I suggest making a second submittal following their procedure. I see in "7.1.2 If the CNA determines that an issue violates the security policy of a product, then the issue SHOULD be considered a vulnerability." so it is possible that the CNA (MITRE in this case) made the determination. I am sending them a question right now as to whether or not they made the determination. But I think the shortest path to resolution is for you to make the "Arbitration Request" explicitly, so that we can follow their process and get this issue resolved. |
Okay, I've just submitted that too. |
Hey all 👋🏽 I would like to mention that we are fully aware of this discussion and familiar with the current situation. We removed this vulnerability from our database and revoked the specific advisory. (As for now, the advisory is still publicly available but will be removed in a few hours as part of a general publication process.) |
Thanks for the update @Idan-D! |
|
@woodruffw thanks for the update! |
No problem, many thanks to @alex for bringing it to my attention! I've posted a temporary "workaround" for |
UPD: At the moment, this advisory is marked as withdrawn in GHSA and Snyk lists. And it still shows up as disputed on the NIST website. |
pip-audit --no-deps -r <(echo 'aiohttp==3.8.1')
No known vulnerabilities found |
UPD: NIST still haven't withdrawn the CVE, MITRE haven't replied either. |
As per CVE's FAQ, It seems that NIST cannot withdraw the CVE but only MITRE can do:
Also, MITRE does not monitor their [email protected] email address. But after receiving an auto-sent confirmation email with a reference number for requests that were submitted on https://cveform.mitre.org (the only way to get initial contact with MITRE), any reply with the reference number is monitored:
My advice is that the only thing we can do now is to nudge MITRE by replying to their confirmation email. Or, maybe, contact GitHub to ask their staff to make a request to see if their requests are of higher priority? |
It says
so it was probably created right before I asked GitHub to withdraw it in and hasn't been updated after the status change. I suppose Dependabot may be not updating the alerts post creation. @shelbyc do you know if that's by design? |
@webknjaz Thank you for reporting a withdrawn advisory with open dependabot alerts! I have alerted the appropriate team and they are planning to fix the bug. |
Describe the bug
pip-audit is flagging
aiohttp
as having aModerate
vulnerability, apparently due to #6772.Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
aiohttp 3.8.1 GHSA-rwqr-c348-m5wr
To Reproduce
pip-audit
pip-audit
) in an environment that has the latestaiohttp
installedExpected behavior
The
pip-audit
results should not flagaiohttp
as having a security vulnerability.Logs/tracebacks
Python Version
aiohttp Version
multidict Version
yarl Version
OS
Edition Windows 10 Pro
Version 21H2
Installed on 5/1/2021
OS build 19044.1766
Experience Windows Feature Experience Pack 120.2212.4180.0
Related component
Server, Client
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: