Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTUzbWotbWMzOC1xODk0

Remote Memory Exposure in openwhisk

Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure.

When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded).

Proof of concept:

var openwhisk = require('openwhisk');
var options = {
  apihost: '127.0.0.1:1433', 
  api_key: USERSUPPLIEDINPUT // number
};
var ow = openwhisk(options);
ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result))

Recommendation

Update to version 3.3.1 or later.

Permalink: https://github.com/advisories/GHSA-53mj-mc38-q894
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTUzbWotbWMzOC1xODk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


Identifiers: GHSA-53mj-mc38-q894
References: Repository: https://github.com/openwhisk/openwhisk-client-js
Blast Radius: 0.0

Affected Packages

npm:openwhisk
Dependent packages: 53
Dependent repositories: 291
Downloads: 43,602 last month
Affected Version Ranges: < 3.3.1
Fixed in: 3.3.1
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0
All unaffected versions: 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8