Check logs Sprint 17.1 week1 (01/19/2022) #5019

pkfec · 2022-01-04T16:03:51Z

Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)

Ref: Check logs Innovation sprint 16 week4

fec-jli · 2022-01-19T15:43:33Z

FEC-CMS:
package.json: 1 Medium
[Snyk: Medium]: [node-fetch Information Exposure] (fecgov/fec-cms#5029)

requirements.txt: 1 Critical, 5 Medium, 2 Low
[Snyk:Critical]: pillow Arbitrary Code Execution
[Snyk:Medium]: [pillow Buffer Over-read] will solve in fecgov/fec-cms#5020
[Snyk:Medium]: [pillow Denial of Service (DoS)]will solve in fecgov/fec-cms#5020
[Snyk:Medium]: [pillow Improper Initialization] will solve in fecgov/fec-cms#5020

[Snyk:Medium]: django Denial of Service (DoS)
[Snyk:Medium new]: [django Access Restriction Bypass]will solve in fecgov/fec-cms#5030

[Snyk:Low]: [django Directory Traversal]will solve in fecgov/fec-cms#5030
[Snyk:Low]: [django Information Exposure]will solve in fecgov/fec-cms#5030

OPEN-FEC:
package.json: 1 Medium
[Snyk: Medium]: [User Interface Misrepresentation of Critical Information] (#5007)

requirements.txt: 1 Medium
[Snyk: Medium]: [Celery Stored Command Injection] (#5017)

flyway: 1 High (can wait to create ticket in next sprint)
[Snyk:High]: [com.google.protobuf:protobuf-java Denial of Service (DoS)]

FEC-EREGS:
package.json: 1 Critical, 5 High, 9 Medium.

Note: 12/13 medium snyk vulnerabilities are flagged on node-sass package 1/13 medium snyk vulnerability is flagged on lodash.
[Snyk: High/Critical]: [lodash Command injection] (fecgov/fec-eregs#643)
[Snyk: High] [node-sass null pointer dereference] (fecgov/fec-eregs#644)
Note: node-sass is flagged as highly vulnerable on Out-of-bounds Read and Use After Free)
[Snyk: High]: [json-schema prototype pollution] (fecgov/fec-eregs#645)
[Snyk: High] ansi-regex Regular Expression Denial of Service [(ReDoS)] (fecgov/fec-eregs#646)

requirements.txt: 2 Medium, 2 Low
[Snyk: Medium]: [Celery stored command injection] (fecgov/fec-eregs#655)
[Snyk: Medium]: [Access Restriction Bypass] (fecgov/fec-eregs#638)

[Snyk: Low new]: [django Directory Traversal] will solve in fecgov/fec-eregs#638
[Snyk: Low new]: [django Information Exposure] will solve in fecgov/fec-eregs#638

requirements-parsing.txt: 2 High, 2 Medium, 2 Low (no ticket)
[Snyk: High] requests-cache Arbitrary Code Execution
[Snyk: High] networkx Deserialization of Untrusted Data
[Snyk: Medium]: celery Stored Command Injection
[Snyk: Medium]: django Denial of Service (DoS)
[Snyk: Low]: django Directory Traversal
[Snyk: Low]: django Information Exposure

FEC-PATTERN-LIBRARY:
package.json: None

Search logs:
No log results for "User change"

Cloud.gov Dashboard:
9 deployer accounts, same as last week.

Off-boarding:
None for this week

fec-jli · 2022-01-19T16:57:06Z

It is done, close.

pkfec added the Security: general General security concern or issue label Jan 4, 2022

pkfec added this to the Sprint 17.1 milestone Jan 4, 2022

pkfec mentioned this issue Jan 4, 2022

Check logs Sprint 17.1 week2 (01/26/2022) #5020

Closed

1 task

JonellaCulmer assigned fec-jli Jan 18, 2022

fec-jli closed this as completed Jan 19, 2022

This was referenced Jan 27, 2022

Check logs Sprint 17.2 week 1 (02/02/2022) #5036

Closed

Check logs Sprint 17.2 week 2 (02/09/2022) #5037

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check logs Sprint 17.1 week1 (01/19/2022) #5019

Check logs Sprint 17.1 week1 (01/19/2022) #5019

pkfec commented Jan 4, 2022

fec-jli commented Jan 19, 2022 •

edited by pkfec

Loading

fec-jli commented Jan 19, 2022

Check logs Sprint 17.1 week1 (01/19/2022) #5019

Check logs Sprint 17.1 week1 (01/19/2022) #5019

Comments

pkfec commented Jan 4, 2022

fec-jli commented Jan 19, 2022 • edited by pkfec Loading

fec-jli commented Jan 19, 2022

fec-jli commented Jan 19, 2022 •

edited by pkfec

Loading