Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2022-24434 #1918

Merged
merged 2 commits into from Nov 6, 2022
Merged

Fix CVE-2022-24434 #1918

merged 2 commits into from Nov 6, 2022

Conversation

JanStorm
Copy link
Contributor

@JanStorm JanStorm commented Nov 5, 2022

Description

This application is vulnerable to CVE-2022-24434. This means, each api endpoint which handles image uploads can be used to shut down the nodejs-server.
This issues comes in through the package multer, which uses another package called dicer, in which the vulnerability was found. The newest version of multer (1.4.5-lts.1) now includes a fix for this vulnerability (see expressjs/multer#1097).

Exploit example

As a demo, we use the /rest/memories endpoint to send the invalid payload

fetch('/rest/memories', {
   method: 'POST',
   headers: {
     ['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
     ['content-length']: '145',
   },
   body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
 });

The result of this is the nodejs-server crashing.

Resolved or fixed issue: none

Affirmation

@JanStorm
Adds Test for checking for CVE-2022-24434
96ea81a 
This validates that the nodejs-server does not crash when sending a malicious post request to a file upload form. Instead the server should return status code 500 and display the default error page showing the error and stack trace.
@JanStorm
Updates multer dependency to close security issue
9e75c92 
This closes CVE-2022-24434, see expressjs/multer#1097. Since there is no ^1.4.2 Version that includes this fix, we have to go with this uncommon version.
@bkimminich bkimminich changed the base branch from master to develop November 5, 2022 16:42
@bkimminich bkimminich merged commit 6bf8b71 into juice-shop:develop Nov 6, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Nov 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@JanStorm @bkimminich