Connect with us

Hi, what are you looking for?

Cyber Security

Formidable developer fights back against ‘critical’ CVE vulnerability assignment

The developer of the Formidable project has fought against the allocation of a CVE vulnerability entry by Mitre Corporation.

Formidable is a popular parser, available on GitHub, for use during production and in serverless environments. The Node.js module and software library is open source.

The ‘vulnerability’ was made public in May and was assigned as CVE-2022–29622 with a ‘critical’ CVSS severity score of 9.8, close to the highest possible. An ‘exploit’ video has also been uploaded onto YouTube.

Uploads-by-design

CVE-2022-29622 is described as a dangerous arbitrary file upload flaw in Formidable version 3.1.4, exploitable by attackers to “execute arbitrary code via a crafted filename”.

However, this classification, as well as the CVE assignment, is in dispute – and this has been acknowledged in the CVE documentation.

“Some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior,” NVD’s CVE record says.

“Also, there are configuration options in all versions that can change the default behavior of how files are handled.”

In a Medium blog post published on June 3, Formidable project maintainer and co-founder of Guardara, Zsolt Imre, published an update to a previous post examining the purported bug, saying he is “still confident that the Formidable library has nothing to do with these issues”.

Imre noted that a feature allowing arbitrary file uploads is not necessarily a vulnerability, depending on the use case and whether or not code execution follows a file upload.

“The code must be executed for the attacker to be able to interact with the web shell,” the developer commented. “So, the attacker has to find a process he/she can convince to touch the uploaded file.

“It’s not just any kind of ‘touching’! It actually has to be executed. As you can see, context is critical here.”

‘Invalid claims’

Imre went on to say that the claim the vulnerability “allows attackers to execute arbitrary code via a crafted filename” is incorrect, as “the only thing that can be vulnerable to this vulnerability is something that does execute arbitrary code,” adding that the issue is out of scope in the software library’s case.

The developer said that it would be more accurate to say that Formidable allows the upload of arbitrary files by default, but this does not mean this functionality is a vulnerability in itself.

If Fomidable was vulnerable to arbitrary code execution, it must either execute the uploaded files or permit content to be executed either “automatically or on request”, Imre said.

Overall, when Formidable is a standalone attack vector, it does not seem that the vulnerability is valid, according to Imre. While the maintainer says that you could argue there was a bug or poorly implemented feature in play, this does not constitute a vulnerability or risk to users.

Advertisement. Scroll to continue reading.

“Formidable is falsely accused of being vulnerable,” Imre says. “This false accusation messed up the release of one of our services for no good reason.”

Speaking to The Daily Swig, the maintainer said he has been in touch with Mitre to request CVE removal. Mitre referred Imre back to a comment made by a Formidable contributor, ‘GrosSacASac’, in which they mentioned “conditions to be vulnerable”.

However, Imre has argued that Mitre read the comment “the wrong way and GrosSacASac was not referring to the library being vulnerable under certain conditions, but an application that uses the library in a certain way”.

The maintainer is yet to receive further communication from the organization and has published questions for GrosSacASac to answer, in the hopes of clarifying the situation.

Imre commented:

If anyone had taken the time to look at the code and see what the default behaviour and configuration of the library was, it would become crystal clear GrosSacASac was not talking about the formidable library in that comment.

Unfortunately, he/she did not respond yet. I do not believe Mitre will do any further investigation on this matter until GrosSacASac responds. Even in that case, as you can see, Mitre seemingly operates based on opinion rather than facts, so we can only hope for the best.

Imre has also published a ‘challenge’ on GitHub for further testing of Formidable and whether or not the CVE was correctly assigned.

The Daily Swig has reached out to Mitre and we will update when we hear back.

Source: https://portswigger.net/daily-swig/formidable-developer-fights-back-against-critical-cve-vulnerability-assignment

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Business News

Cummins Inc. has approved its high-horsepower diesel engines across all ratings for use with unblended paraffinic fuels (EN15940), often referred to as renewable diesel,...

Business News

PT BAUER Pratama Indonesia, the Indonesian subsidiary of BAUER Spezialtiefbau GmbH, was commissioned to manufacture the retaining walls for the basement in Kota Station...

Business News

The European Anti-Fraud Office (OLAF) has put forth a recommendation to halt the €140 million renovation project for the Kostenets-Septemvri railway in Bulgaria, while...

Business News

According to an official news release, Turner Construction has officially commenced a US$100 million renovation project at Albany International Airport, located in upstate New...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO