Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2024-7106 - Cross-Site Request Forgery? #1381

Closed
barrywoolgar opened this issue Sep 2, 2024 · 8 comments
Closed

Fix for CVE-2024-7106 - Cross-Site Request Forgery? #1381

barrywoolgar opened this issue Sep 2, 2024 · 8 comments

Comments

@barrywoolgar
Copy link

Hello

Is there a fix available (or planned) for CVE-2024-7106?

A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

At the moment Bundler Audit is recommending we "remove or disable this gem until a patch is available", which isn't much of a long-term solution!

Many thanks
@barrywoolgar barrywoolgar changed the title Fix for CVE-2024-7106 - Cross-Site Request Forgery Fix for CVE-2024-7106 - Cross-Site Request Forgery? Sep 2, 2024
@Bramjetten
Copy link
Contributor

Bramjetten commented Sep 2, 2024
edited
Loading

No.

The "bug" they submitted is only tested on the live demo website and is caused by the live demo not having any authentication or authorization. Which is of course purposefully disabled for demo purposes...

This is not present in the Spina gem and has nothing to do with it. I've been unable to have this CVE removed. I have also never been contacted by the individual that published this CVE. It's a scam sadly.

I'm planning on re-adding password authentication to our live demo site and releasing a new version of the Spina gem just to clear this up.

@barrywoolgar
Copy link
Author

barrywoolgar commented Sep 2, 2024
edited
Loading

Thank you for the rapid response, and the context missing from the official CVE pages.

We use automated tooling to make sure we're addressing vulnerabilities (real or imagined!) so it is great to hear that there's a straightforward solution to this.

Please could this issue stay open until the new version is released?

@Bramjetten
Copy link
Contributor

Agreed!

@stale Stale
Copy link

stale bot commented Nov 7, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 7, 2024
@stale stale bot closed this as completed Nov 16, 2024
@barrywoolgar
Copy link
Author

Please can this be re-opened until the CVE is resolved?

@Bramjetten
Copy link
Contributor

This CVE does not apply to the Spina gem, it's garbage. I don't know how to prevent someone from submitting this.

@Bramjetten Bramjetten reopened this Nov 18, 2024
@stale stale bot removed the stale label Nov 18, 2024
@barrywoolgar
Copy link
Author

I totally agree with your earlier assessment, but you also proposed a simple workaround:

  • make the demo more representative of an actual installation by not bypassing the login
  • put the demo creds on the website/README?
  • release a new 2.19 version so the CVE can suggest people upgrade

Many thanks!

@Bramjetten
Copy link
Contributor

I deleted the live demo and opened a PR for v2.19: #1394

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bramjetten @barrywoolgar