Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oqtane 6.0 Security Warnings #4941

Open
iJungleboy opened this issue Dec 20, 2024 · 4 comments
Open

Oqtane 6.0 Security Warnings #4941

iJungleboy opened this issue Dec 20, 2024 · 4 comments

Comments

@iJungleboy
Copy link
Contributor

iJungleboy commented Dec 20, 2024

All my current projects somehow tied in with Oqtane are getting High Severity security warnings issued by GitHub.

I would claim we're not affected, since the presumed vector requires some user login, which all our sites don't have.

But I think it will give many a scare, especially right before the holidays where they are off.

Pls release 6.1. asap ❤️‍🩹

@mdmontesinos
Copy link
Contributor

I'm also getting the security warnings by Github Dependabot

image

@sbwalker
Copy link
Member

sbwalker commented Dec 23, 2024

@iJungleboy 6.0.1 was released on Friday, Dec 20 (coincidentally on the same date that these CVEs appear to have been created)

@sbwalker
Copy link
Member

sbwalker commented Dec 23, 2024

Apparently the Security workflow on GitHub does not function as expected. GitHub repos have a Private Vulnerability Reporting feature which "Allows users to privately report potential security vulnerabilities" and it includes the following information:

  • Until it is published, this draft security advisory will only be visible to collaborators with admin permissions on oqtane/oqtane.framework. Other users and teams within the organization may be added once the advisory is created.

  • Once published, security advisories on public repositories are visible to everyone.

  • Once reviewed by GitHub, security advisories may be broadcast on the GitHub Advisory Database. They may also trigger Dependabot alerts to users that depend on this repository.

The idea behind this is that people can report potential issues to the maintainer so they can be investigated. Investigation is required because many issues which are reported are not actually security issues - they are a misunderstanding of the functionality of the application. The maintainer is supposed to have the ability to manage these issues so that they do not raise false alarms.

Unfortunately it appears that the process is not being followed. Either GitHub is broadcasting issues BEFORE they are confirmed or published (not likely), or security researchers are trying to claim credit for the (non-validated) vulnerabilities they reported and publishing their claims in the public domain... which are then indexed and shared by CVE aggregators (more likely). If it is the latter, then it is just another example of stakeholders trying to take advantage of open source projects for their own personal gain.

The CVEs which are currently being surfaced through GitHub Dependabot are not accurate. However it is not clear how anyone is supposed to resolve these inaccuracies once they are published through the CVE aggregator networks.

I have now disabled the Private Vulnerability Reporting feature for the Oqtane repo as it appears to cause more harm than good. Very disappointing.

@sbwalker sbwalker changed the title Please release 6.0.1 asap; getting flooded by security warnings Oqtane 6.0 Security Warnings Dec 23, 2024
@sbwalker sbwalker reopened this Dec 23, 2024
@sbwalker
Copy link
Member

Added a comment to PR #4878 for clarification about the CVE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants