101 icon indicating copy to clipboard operation
101 copied to clipboard

Published 20 hours ago verified publisher icon tjmehta

🚨 Potential Violation of Secure Design Principles (CWE-657)

Open huntr-helper opened this issue 3 years ago • 11 comments

👋 Hello, @tjmehta - a potential high severity Violation of Secure Design Principles (CWE-657) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-tjmehta/101 for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

huntr-helper avatar May 03 '21 18:05 huntr-helper

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper is there a PR to fix this?

OmgImAlexis avatar Jun 16 '21 22:06 OmgImAlexis

@OmgImAlexis - not yet!

JamieSlome avatar Jun 17 '21 08:06 JamieSlome

Do we have any updates on this?

JamieSlome avatar Jul 01 '21 09:07 JamieSlome

Any updates here?

This CVE is currently blocking our CI/CD: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25943

skarred14 avatar Jul 19 '21 17:07 skarred14

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25943

Just wondering, are there any updates concerning this CVE?

adlawren avatar Sep 08 '21 15:09 adlawren

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper is there a PR to fix this?

@huntr-helper it's been way longer than 14 days. Still no PR. 😕

OmgImAlexis avatar Sep 14 '21 06:09 OmgImAlexis

NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@huntr-helper are you going to open a PR for this? Is there anything we can do to help?

OmgImAlexis avatar Sep 27 '21 06:09 OmgImAlexis

@OmgImAlexis - it looks like no fixes have been submitted via our community.

I might recommend reaching out to @blindhacker99, who disclosed via our platform to see if they have any thoughts.

JamieSlome avatar Sep 27 '21 07:09 JamieSlome

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

@JamieSlome might be worth removing this line from your issues then.

OmgImAlexis avatar Sep 27 '21 07:09 OmgImAlexis

@OmgImAlexis - this template has been entirely adjusted and does not follow this format anymore.

Thanks!

JamieSlome avatar Sep 27 '21 07:09 JamieSlome

Just a FYI there's a open PR is already there for keypather which also utilises the vulnerable set() method from 101. The maintainer hasn't merged the PR yet, looks he is not interested. Since keypather also utilises the vulnerable set() method from 101 so fixing it here would be effective fix. @OmgImAlexis you can open a PR by replicating the same fix which is applied here. -https://github.com/tjmehta/keypather/pull/43/commits/c87c3c453e8c853c22bbfa75d40e0b7f11c58ede

blindhacker99 avatar Oct 02 '21 13:10 blindhacker99