Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cGdtLTNqM2ctMnJjN84AAtUL
Valinor error messages leading to potential data exfiltration before v0.12.0
<?php
namespace My\App;
use CuyZ\Valinor\Mapper\MappingError;
use CuyZ\Valinor\Mapper\Tree\Node;
use CuyZ\Valinor\Mapper\Tree\NodeTraverser;
use CuyZ\Valinor\MapperBuilder;
require_once __DIR__ . '/Valinor/vendor/autoload.php';
final class Money
{
private function __construct(public readonly string $amount)
{
}
public static function fromString(string $money): self
{
if (1 !== \preg_match('/^\d+ [A-Z]{3}$/', $money)) {
throw new \InvalidArgumentException(\sprintf('Given "%s" is not a recognized monetary amount', $money));
}
return new self($money);
}
}
class Foo
{
public function __construct(
private readonly Money $a,
private readonly Money $b,
private readonly Money $c,
) {}
}
$mapper = (new MapperBuilder())
->registerConstructor([Money::class, 'fromString'])
->mapper();
try {
var_dump($mapper->map(Foo::class, [
'a' => 'HAHA',
'b' => '100 EUR',
'c' => 'USD 100'
]));
} catch (MappingError $e) {
$messages = (new NodeTraverser(function (Node $node) {
foreach ($node->messages() as $message) {
var_dump([
'$message',
$message->path(),
$message->body()
]);
}
return '';
}))->traverse($e->node());
iterator_to_array($messages);
}
Now, this is quite innocent: it produces following output:
❯ php value-object-conversion.php
array(3) {
[0]=>
string(8) "$message"
[1]=>
string(1) "a"
[2]=>
string(48) "Given "HAHA" is not a recognized monetary amount"
}
array(3) {
[0]=>
string(8) "$message"
[1]=>
string(1) "c"
[2]=>
string(51) "Given "USD 100" is not a recognized monetary amount"
}
The problem is that nowhere I told valinor that it could use Throwable#getMessage()
.
This is a problem with cases where you get:
- an SQL exception showing an SQL snippet
- a DB connection exception showing DB ip address/username/password
- a timeout detail / out of memory detail (exploring DDoS possibilities)
This allows for potential data exfiltration, DDoS, enumeration attacks, etc.
Permalink: https://github.com/advisories/GHSA-5pgm-3j3g-2rc7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cGdtLTNqM2ctMnJjN84AAtUL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5pgm-3j3g-2rc7, CVE-2022-31140
References:
- https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7
- https://nvd.nist.gov/vuln/detail/CVE-2022-31140
- https://github.com/CuyZ/Valinor/releases/tag/0.12.0
- https://github.com/advisories/GHSA-5pgm-3j3g-2rc7
Blast Radius: 9.9
Affected Packages
packagist:cuyz/valinor
Dependent packages: 31Dependent repositories: 21
Downloads: 957,735 total
Affected Version Ranges: < 0.12.0
Fixed in: 0.12.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0
All unaffected versions: 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.11.0, 1.12.0