react-native-code-push icon indicating copy to clipboard operation
react-native-code-push copied to clipboard

Published 20 hours ago verified publisher icon microsoft

FULL DISCLOSURE: Security Vulnerability - Improper Limitation of a Pathname to a Restricted Directory ('Partial-Path Traversal') during unzip in react-native-code-push

Open JLLeitschuh opened this issue 3 years ago • 5 comments

I reported the following vulnerability to Microsoft MSRC on Friday, May 13th, and received the following response this afternoon (Monday May 16th). I presume that the report never actually made it to any of the react-native-code-push developers, as such, the full details of the vulnerability have been disclosed publicly.

To be clear: there is currently no fix for this security vulnerability

VULN-066991 CRM:0765000224

Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this assessment.

Upon investigation, we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering.

As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused.

If you believe this determination to be in error, submit a new report at https://aka.ms/secure-at

Please include:

Relevant information previously provided in your initial report Detailed steps required to consistently reproduce the issue Short explanation on how an attacker could use the information to exploit another user remotely Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples

More information on reporting a security vulnerability can be found at https://www.microsoft.com/msrc/faqs-report-an-issue.

Regards,

Ali  MSRC

Link to full disclosure: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-7hfp-mpq6-2jhf

JLLeitschuh avatar May 16 '22 21:05 JLLeitschuh

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

ghost avatar Jul 23 '22 17:07 ghost

It's still a vulnerability and still hasn't been fixed

JLLeitschuh avatar Jul 24 '22 09:07 JLLeitschuh

Any updates here?

JLLeitschuh avatar Jul 29 '22 21:07 JLLeitschuh

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

ghost avatar Sep 27 '22 21:09 ghost

Not stale

JLLeitschuh avatar Sep 29 '22 12:09 JLLeitschuh

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

ghost avatar Nov 28 '22 13:11 ghost

Not stale

JLLeitschuh avatar Nov 28 '22 20:11 JLLeitschuh

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

ghost avatar Jan 27 '23 21:01 ghost

Not stale

JLLeitschuh avatar Feb 01 '23 15:02 JLLeitschuh

This issue will now be closed because it hasn't had any activity for 15 days after stale. Please feel free to open a new issue if you still have a question/issue or suggestion.

microsoft-github-policy-service[bot] avatar Apr 22 '23 11:04 microsoft-github-policy-service[bot]

This issue will now be closed because it hasn't had any activity for 15 days after stale. Please feel free to open a new issue if you still have a question/issue or suggestion.

microsoft-github-policy-service[bot] avatar Apr 22 '23 11:04 microsoft-github-policy-service[bot]