This document aggregates security issues (weaknesses and vulnerabilities) affecting osquery. It tracks issues in the format:
#PRNumber Title - (Optional CVE) - Fixed in Version - Optional Reporter
There are several types of issues that do not include a CVE or reporter.
If you find a security issue and believe a CVE should be assigned, please contact a member of the TSC in the osquery Slack, we are happy to submit the request and provide attribution to you.
Specifically, we will use the GitHub Security Advisory features for CVE requests.
The project maintainers will tag related issues and pull requests with the hardening
label. There may be changes with this label that are not directly security issues.
If you are editing this document please feel encouraged to change this format to provide more details. This is intended to be a helpful resource so please keep content valuable and concise.
- #6197 osquery does not validate TLS SNI hostname - CVE-2020-1887 - 4.2.0 - Timothy Britton of Apple
- #3786 Migrate from
boost::regex
tore2
- unresolved - Ruslan Habalov and Felix Wilhelm of the Google Security Team - #3785
ie_extensions
susceptible to SQL injection - CVE-2017-15026 - 2.9.0 - Ruslan Habalov and Felix Wilhelm of the Google Security Team - #3783/#3782
safari_extensions
should not use parent paths for privilege dropping - CVE-2017-15027 - 2.9.0 - Ruslan Habalov and Felix Wilhelm of the Google Security Team - #3781
known_hosts
should drop privileges - CVE-2017-15028 - 2.9.0 - Ruslan Habalov and Felix Wilhelm of the Google Security Team - #3770/#3775
libxml2
(v2.9.5) andlibarchive
(v3.3.2) updated - 2.9.0 - #3767
augeas
(v1.8.1) mitigates CVE-2017-7555 - 2.9.0 - Ruslan Habalov and Felix Wilhelm of the Google Security Team - #3133 Bad output size for TLS compression - 2.4.0 - Facebook Whitehat
- #2447 Multiple fixes to macOS
crashes
- 2.0.0 - Facebook Whitehat and zzuf - #2330 Add size checks to
package_bom
- 2.0.0 - Facebook Whitehat - #1598
readFile
TOCTOU error - 1.6.0 - NCC Group - #1596 Uncaught exception in config JSON parsing - 1.6.0 - NCC Group
- #1585 Various comparisons of integers of different signs - 1.6.0 - NCC Group
- #993 Add restricted permissions to RocksDB - 1.4.5 - Anonymous security review
- #740 Add hardening compile flags and
-fPIE
- 1.4.1 - Anonymous security review - #300 Add restricted permissions to osqueryd logging - 1.0.4