GHSA-H29C-WCM8-883H

Vulnerability from github – Published: 2022-01-21 23:20 – Updated: 2024-10-07 21:16
VLAI?
Summary
Incorrect Permission Assignment for Critical Resource in OnionShare
Details

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

  • Vulnerability ID: OTF-006
  • Vulnerability type: Broken Website Hardening Control
  • Threat level: Low

Description:

The CSP can be turned on or off but not configured for the specific needs of the website.

Technical description:

The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images.

If CSP were configurable, the website creator could harden it accordingly to the needs of the application.

As this issue correlates with the Github issue for exposing the flask application directly (https://github.com/onionshare/ onionshare/issues/1389), it can be assumed that this can be solved by either changing to a well-known webserver, which supports this kind of configuration, or enhancing the status quo by making the CSP a configurable part of each website.

We believe that bundling the nginx or apache webserver would add complexity and dependencies to the application that could result in a larger attack surface - as these packages receive regular security updates. On the other hand it is not recommended to directly expose the flask webserver, due to lack of hardening. This is a trade-off which needs to be evaluated by the Onionshare developers, as multiple features are involved. Ideally the application user could choose between the built-in flask webserver or a system webserver of choice.

Impact:

As this is a general weakness and not a direct vulnerability in the Onionshare application, the direct impact of this issue is rather low.

Recommendation:

  • Consider offering a configurable webserver choice
  • Consider configurable CSP
Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T19:32:41Z",
    "nvd_published_at": "2022-01-18T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test.\n\n- Vulnerability ID: OTF-006\n- Vulnerability type: Broken Website Hardening Control\n- Threat level: Low\n\n## Description:\n\nThe CSP can be turned on or off but not configured for the specific needs of the website.\n\n## Technical description:\n\nThe website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images.\n\nIf CSP were configurable, the website creator could harden it accordingly to the needs of the application.\n\nAs this issue correlates with the Github issue for exposing the flask application directly (https://github.com/onionshare/ onionshare/issues/1389), it can be assumed that this can be solved by either changing to a well-known webserver, which supports this kind of configuration, or enhancing the status quo by making the CSP a configurable part of each website.\n\nWe believe that bundling the nginx or apache webserver would add complexity and dependencies to the application that could result in a larger attack surface - as these packages receive regular security updates. On the other hand it is not recommended to directly expose the flask webserver, due to lack of hardening. This is a trade-off which needs to be evaluated by the Onionshare developers, as multiple features are involved. Ideally the application user could choose between the built-in flask webserver or a system webserver of choice.\n\n## Impact:\n\nAs this is a general weakness and not a direct vulnerability in the Onionshare application, the direct impact of this issue is rather low.\n\n## Recommendation:\n\n- Consider offering a configurable webserver choice\n- Consider configurable CSP",
  "id": "GHSA-h29c-wcm8-883h",
  "modified": "2024-10-07T21:16:33Z",
  "published": "2022-01-21T23:20:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/issues/1389"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/onionshare/onionshare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-45.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Incorrect Permission Assignment for Critical Resource in OnionShare"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.