Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check logs Sprint 17.2 week 2 (02/09/2022) #5037

Closed
1 task
patphongs opened this issue Jan 27, 2022 · 1 comment
Closed
1 task

Check logs Sprint 17.2 week 2 (02/09/2022) #5037

patphongs opened this issue Jan 27, 2022 · 1 comment
Assignees
@hcaofec
Labels
Security: general General security concern or issue
Milestone
Sprint 17.2

Comments

@patphongs
Copy link
Member

Log review needs to be completed per the Security Event Review Checklist (https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist)

Ref: Check logs sprint 17.1 week1

  • Make new tickets for sprint 17.2 weeks 1 and 2.
@patphongs patphongs added the Security: general General security concern or issue label Jan 27, 2022
@patphongs patphongs added this to the Sprint 17.2 milestone Jan 27, 2022
@hcaofec
Copy link
Contributor

hcaofec commented Feb 9, 2022

FEC-CMS:
package.json: 1 Medium
[Snyk: Medium]: [node-fetch Information Exposure] (fecgov/fec-cms#5029)

requirements.txt: 0 Critical, 4 Medium, 3 Low
[Snyk:Medium]: django Denial of Service (DoS)
[Snyk:Medium new]: [django Access Restriction Bypass] will solve in fecgov/fec-cms#5030
[Snyk:Medium new]: [django Cross-site Scripting (XSS)]

[Snyk:Low]: [django Directory Traversal]will solve in fecgov/fec-cms#5030
[Snyk:Low]: [django Information Exposure]will solve in fecgov/fec-cms#5030
[Snyk:Low]: [wagtail Information Exposure] will solve in fecgov/fec-cms#5043

OPEN-FEC:
package.json: 1 Medium
[Snyk: Medium]: [User Interface Misrepresentation of Critical Information] (#5007)

requirements.txt: _1 Medium
[Snyk: Medium]: [Celery Stored Command Injection] (#5017)

flyway: 0
Ignored 1 High, 1 Medium this week because we use the postgresql driver and we are excluding protobuf.
flyway upgrade PR

FEC-EREGS:
package.json: 0

requirements.txt: 4 Medium, 2 Low
[Snyk: Medium]: [Celery stored command injection] (fecgov/fec-eregs#655)
[Snyk: Medium]: [django Cross-site Scripting (XSS)] (fecgov/fec-eregs#638)
[Snyk: Medium]: [django Denial of Service] (fecgov/fec-eregs#638)

[Snyk: Low new]: [django Directory Traversal] will solve in fecgov/fec-eregs#638
[Snyk: Low new]: [django Information Exposure] will solve in fecgov/fec-eregs#638

requirements-parsing.txt: 3 High, 4 Medium, 2 Low
[Snyk: High]: [requests-cache Arbitrary Code Execution]
[Snyk: High]: [ipython Arbitrary Code Execution]
[Snyk: High]: [networkx Deserialization of Untrusted Data]

[Snyk: Medium]: [Celery stored command injection]
[Snyk: Medium]: [django Cross-site Scripting (XSS)]
[Snyk: Medium]: [django Denial of Service]

[Snyk: Low new]: [django Directory Traversal]
[Snyk: Low new]: [django Information Exposure]

FEC-PATTERN-LIBRARY:
package.json: None

Search logs:
No log results for "User change"

Cloud.gov Dashboard:
9 deployer accounts, same as last week.

Off-boarding:
None for this week

@hcaofec hcaofec closed this as completed Feb 9, 2022
@hcaofec hcaofec mentioned this issue Feb 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hcaofec hcaofec

Labels
Security: general General security concern or issue
Projects
None yet
Milestone
Sprint 17.2
Development

No branches or pull requests
2 participants
@patphongs @hcaofec