Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HIGH] CRLF injection -- need a fix by May 24, 2019 #3722

Closed
jason-upchurch opened this issue Apr 24, 2019 · 3 comments
Closed

[HIGH] CRLF injection -- need a fix by May 24, 2019 #3722

jason-upchurch opened this issue Apr 24, 2019 · 3 comments
Assignees
@pkfec @jason-upchurch
Labels
High priority
Milestone
Sprint 8.7

Comments

@jason-upchurch
Copy link
Contributor

CRLF injection
Vulnerable module: urllib3
Introduced through: smart-open@1.7.1, requests@2.20.1 and others
Detailed paths

  • Introduced through: project@0.0.0 › smart-open@1.7.1 › boto3@1.9.134 › s3transfer@0.2.0 › botocore@1.12.134 › urllib3@1.24.2
  • Introduced through: project@0.0.0 › smart-open@1.7.1 › boto3@1.9.134 › botocore@1.12.134 › urllib3@1.24.2
  • Introduced through: project@0.0.0 › smart-open@1.7.1 › requests@2.20.1 › urllib3@1.24.2
  • Introduced through: project@0.0.0 › requests@2.20.1 › urllib3@1.24.2
  • Introduced through: project@0.0.0 › elasticsearch-dsl@5.4.0 › elasticsearch@5.5.1 › urllib3@1.24.2
  • Introduced through: project@0.0.0 › elasticsearch@5.5.1 › urllib3@1.24.2

Overview
urllib3 is an HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to CRLF injection. Attacker who has the control of the requesting address parameter, could manipulate an HTTP header and attack an internal service.

Remediation
A fix was pushed into the master branch but not yet published.
@jason-upchurch jason-upchurch added this to the Sprint 8.7 milestone Apr 24, 2019
@jason-upchurch jason-upchurch mentioned this issue Apr 24, 2019
Closed
@hcaofec hcaofec mentioned this issue May 1, 2019
Closed
@pkfec pkfec mentioned this issue May 3, 2019
Merged
@pkfec
Copy link
Contributor

pkfec commented May 3, 2019
edited

In requirements.txt file we pinned requests==2.20.1. The urllib3 is a dependency package of requests. We do not install urllib3 package by itself. urllib3 is download, when we install requests package.(pip install -r requirements.txt) The requests library come with urllib3 1.24.1 (urllib3<1.25,>=1.21.1).

Here is the log:
from requests==2.21.0->-r requirements.txt (line 23)) Requirement already satisfied: **urllib3<1.25,>=1.21.1** in /Users/pkasireddy/.pyenv/versions/3.6.5/envs/crlf365/lib/python3.6/site-packages

Snyk remediation path tells to upgrade/install urllib3 v1.25 or higher. However, the urllib3 owners addressed the CRLF injection in urllib3v1.24.3. This version of urllib3 can be grabbed just by updating the requests v2.21.0. More on that here :https://github.com/kennethreitz/requests/issues/5065

The technical implementation is addressed in the PR #3744

@fec-jli fec-jli mentioned this issue May 8, 2019
Closed
@jason-upchurch
Copy link
Contributor Author

@pkfec maybe a related issue? https://github.com/snyk/snyk/issues/485

@pkfec pkfec mentioned this issue May 13, 2019
Closed
@pkfec
Copy link
Contributor

pkfec commented May 13, 2019

@jason-upchurch thank you for doing all the research and identifying that synk CLI and web interface are not in sync when it comes scanning the vulnerabilities.

Closing this issue as CRLF injection is no longer a vulnerability on openFEC repo.

@pkfec pkfec closed this as completed May 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkfec pkfec

@jason-upchurch jason-upchurch

Labels
High priority
Projects
None yet
Milestone
Sprint 8.7
Development

No branches or pull requests
2 participants
@pkfec @jason-upchurch