Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTUzbWotbWMzOC1xODk0
Remote Memory Exposure in openwhisk
Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure.
When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded).
Proof of concept:
var openwhisk = require('openwhisk');
var options = {
apihost: '127.0.0.1:1433',
api_key: USERSUPPLIEDINPUT // number
};
var ow = openwhisk(options);
ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result))
Recommendation
Update to version 3.3.1 or later.
Permalink: https://github.com/advisories/GHSA-53mj-mc38-q894JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTUzbWotbWMzOC1xODk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
Identifiers: GHSA-53mj-mc38-q894
References:
- https://github.com/openwhisk/openwhisk-client-js/pull/34
- https://www.npmjs.com/advisories/600
- https://github.com/advisories/GHSA-53mj-mc38-q894
Blast Radius: 0.0
Affected Packages
npm:openwhisk
Dependent packages: 53Dependent repositories: 291
Downloads: 42,117 last month
Affected Version Ranges: < 3.3.1
Fixed in: 3.3.1
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0
All unaffected versions: 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8