Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-2961 #4971

Open
stefanman125 opened this issue Apr 23, 2024 · 1 comment
Open

CVE-2024-2961 #4971

stefanman125 opened this issue Apr 23, 2024 · 1 comment
Labels
🐛 Bug

Comments

@stefanman125
Copy link

stefanman125 commented Apr 23, 2024
edited

Describe the Bug

New CVE affects PHP iconv() function in the GNU C Library versions 2.39 and older: https://nvd.nist.gov/vuln/detail/CVE-2024-2961

Not sure how applicable this is to Bookstack, but I thought that you should know about it. It seems to affect all PHP applications by my understanding.

Steps to Reproduce

N/A

Expected Behaviour

N/A

Screenshots or Additional Context

https://www.openwall.com/lists/oss-security/2024/04/18/4

https://nvd.nist.gov/vuln/detail/CVE-2024-2961

https://www.suse.com/security/cve/CVE-2024-2961.html

https://bugzilla.redhat.com/show_bug.cgi?id=2273404

Browser Details

No response

Exact BookStack Version

*
@ssddanbrown
Copy link
Member

Thanks @stefanman125,
Yeah, am aware, although frustratingly the actual impact is quite unclear, all that's been said so far is really this:

[...] On PHP however, it lead to amazing results: a new
exploitation technique that affects the whole PHP ecosystem, and the
compromission of several applications.

Which is quite vague. My best guess it maybe PHP's filter URIs (which include iconv) can be abused here, which has been a recent source of issues, but that's just a uneducated guess.

I don't really have a set process when it comes to vague potential vulnerabilities in underlying requirement dependencies, so thought I'd just advise system via our mastodon/twitter channels, was just waiting for debian to get something together which it looks like they've now done in the last day (RHEL still lagging a bit I think, but rocky has a workaround guide).

With this kind of thing, I have struggled knowing whether we should send a notice via the BookStack security alert mailing list. I usually use this when advising about BookStack specific changes and vulnerabilities in the app code (including updates to patched vulnerable dependencies), but I don't know where the scope exactly lies beyond that. It's not uncommon for vulnerabilities to appear in system dependencies, to the point I think it would be hard to track and cause notification/alert fatigue to notify on all potential cases, but it could make sense to report where there's a actual likely widespread impact; it's just hard to evaluate that if very little detail is provided like the case here.

This CVE seems to have got more attention that others, but it's hard to know if that's because there's actually significant known risk or because the little information/hint provided has been extrapolated out for attractive headlines/videos.

@nemrekceh nemrekceh mentioned this issue May 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssddanbrown @stefanman125