Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xaG1wLWg1NHgtMzhxcs0V5w
CWE-730 Regex injection with IFTTT Plugin
Impact
Anyone publicly hosting the Apprise library and granting them access to the IFTTT notification service.
Patches
Update to Apprise v0.9.5.1
# Install Apprise v0.9.5.1 from PyPI
pip install apprise==0.9.5.1
The patch to the problem was performed here.
Workarounds
Alternatively, if upgrading is not an option, you can safely remove the following file:
apprise/plugins/NotifyIFTTT.py
The above will eliminate the ability to use IFTTT, but everything else will work smoothly.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Apprise
- Email me at [email protected]
Additional Credit
Github would not allow me to additionally credit Rasmus Petersen, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited
Additional Notes:
- Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xaG1wLWg1NHgtMzhxcs0V5w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-qhmp-h54x-38qr, CVE-2021-39229
References:
- https://github.com/caronc/apprise/security/advisories/GHSA-qhmp-h54x-38qr
- https://github.com/caronc/apprise/commit/e20fce630d55e4ca9b0a1e325a5fea6997489831
- https://github.com/caronc/apprise/releases/tag/v0.9.5.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-39229
- https://github.com/caronc/apprise/pull/436
- https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359
- https://github.com/advisories/GHSA-qhmp-h54x-38qr
Blast Radius: 22.2
Affected Packages
pypi:apprise
Dependent packages: 25Dependent repositories: 903
Downloads: 689,101 last month
Affected Version Ranges: <= 0.9.4
Fixed in: 0.9.5.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.5.0, 0.5.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4
All unaffected versions: 0.9.6, 0.9.7, 0.9.8, 0.9.9, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.5, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6