Github considers bootstrap 3.4.0 as insecure

[GeyseR]

Github considers Bootstrap 3.4.0 an insecure dependency via its security vulnerability alerts tool. It points to the NVD CVE-2018-14041 page, which shows that only >4.1.2 is secure. Is 3.4.0 safe to use as it has a fix for the npm:bootstrap:20160627 vulnerability or it is something different?

A screenshot from one of our private projects:

[XhmikosR]

I guess someone should submit info that this was also fixed in 3.4.0.

[bardiharborow]

I've sent this off to NIST, who I believe is the responsible party for vulnerable version information:

I'm writing to inform you that the fix for CVE-2018-14041 has been cherry-picked into the Bootstrap v3.4.0 release. The vulnerable versions are now represented by (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2). You may verify my identity against <https://github.com/orgs/twbs/people> and the fix against <https://github.com/twbs/bootstrap/releases/tag/v3.4.0> and <#27047>. This is my first interaction with your registry, so my apologies if this enquiry is misplaced. Thank you for your time.

[XhmikosR]

Thanks @bardiharborow, let us know how it goes.

[Mx-Glitter]

It seems to be fixed on their end: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#p_lt_WebPartZone1_zoneCenter_pageplaceholder_p_lt_WebPartZone1_zoneCenter_VulnerabilityDetail_VulnFormView_VulnChangeHistoryDiv

[XhmikosR]

Does GitHub still warn about this?

[bardiharborow]

NIST got back to me 9 hours ago with:

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After review of the CVEs, the information provided, and the configurations we have made the appropriate modifications. Please allow up to 24 hours for these changes to populate on the website and in the data feeds.

@XhmikosR, do you know why https://snyk.io/vuln/npm:bootstrap:20160627 says < 4.0.0-beta.2 whereas NIST says < 4.1.2? I can see that #23679 was merged in 4.0.0-beta.2, so I'm not sure where NIST got 4.1.2 from...

[XhmikosR]

@bardiharborow: nope. I don't know where they get the info from. One of the two is wrong :P

[xhocquet]

Hey there, hoping to get an additional update added here.

A member of the Debian LTS team checked out earlier versions of bootstrap (one of which we are using) and declared it did not contain the vulnerability: #26627 (comment)

Compare that to the current vulnerability entry: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#VulnChangeHistorySection

Specifically, my company is still using 3.3.7 and is not prepared to upgrade. Github's vulnerability tracker uses this database to notify us that our project is insecure, however based on what I've seen that is not the case.

If a member of the team could confirm the statement by the Debian team member, as well as contact cpe_dictionary@nist.gov regarding any updates, I'm sure many developers would appreciate removing a warning from their Github repos and other security auditing tools using this database.

[XhmikosR]

3.3.7 is affected. 3.4.0 is not.

[wolfy1339]

I have some more info for you guys, Snyk seems to get their info from CVE database at https://cve.mitre.org so they need to be contacted as well.
Here is their page that explains how to request an update: https://cve.mitre.org/cve/update_cve_entries.html

[divyanshugrover]

https://nvd.nist.gov/vuln/detail/CVE-2018-14040 and https://nvd.nist.gov/vuln/detail/CVE-2018-14042 still show bootstrap 3.4.0 as affected, but I can see the updated changes for https://nvd.nist.gov/vuln/detail/CVE-2018-14041.
I can also see in #27047 that fixes for 14040 and 14042 were included in v3.4.0-dev branch, which ended up into the release branch for 3.4.0.

If the above is correct, @bardiharborow can you please intimate the same to NIST for 14040 and 14042 as well. Thanks!

[bardiharborow]

Okay, I've worked out what's happening here:

• CVE-2018-14040 (synk) (collapse data-parent) was fixed in v4.1.2 by 1490960, back-ported to v3.4.0 by 2a5ba23.
• CVE-2018-14041 (synk*) (scrollspy data-target) was fixed in v4.1.2 by cc61edf, not back-ported.
• CVE-2018-14042 (synk) (tooltip data-container) was fixed in v4.1.2 by 2d90d36, back-ported to v3.4.0 by 2a5ba23.
• CVE-2016-10735 (synk) (generic data-target) was fixed in v4.0.0-beta.2 by bcad4bc, back-ported to v3.4.0 by 29f9237 and 13bf8ae.
• CVE-2018-20676 (synk)(tooltip data-viewport) was fixed in v3.4.0 by 2a5ba23, not forward-ported.
• CVE-2018-20677 (synk) (affix config target) was fixed in v3.4.0 by 2a5ba23, not forward-ported.

@Johann-S are you perhaps able to confirm that the patches which have not been backwards or forwards ported do not need to be?

[Johann-S]

Hi @bardiharborow

• CVE-2018-14041 wasn't back-ported because there is no XSS in v3 (see: https://jsbin.com/kicedoniya/edit?html,output which use v3.3.7) and there was one in v4
• Tooltip data-viewport not forward-ported because this option do not exist in v4
• Affix config target not forward-ported because the Affix plugin do not exist in v4

[bardiharborow]

Email to NIST:

Due to confusion between six related vulnerabilities, my previous advisory was issued against an incorrect CVE number and needs to be retracted. My sincere apologies. The following reflects my audit of the repository history this morning:

• CVE-2018-14040 (collapse data-parent) was fixed in v4.1.2 by 1490960, and back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).
• CVE-2018-14041 (scrollspy data-target) was fixed in v4.1.2 by cc61edf, and not back-ported because it does not affect the v3 line. It therefore affects versions (4.0.0-alpha <= x < 4.1.2).
• CVE-2018-14042 (tooltip data-container) was fixed in v4.1.2 by 2d90d36, back-ported to v3.4.0 by 2a5ba23. It therefore affects versions (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2).

Bootstrap is affected by three additional related vulnerabilities not tracked by the CVE system. Further information is linked from #27915 (comment). Should these be tracked by separate CVE numbers, and if so who do I need to notify for this?

[bardiharborow]

I have coordinated with MITRE to issue three new CVEs as above, and have edited a number of pull requests to make clear which CVEs are involved in which. I'm waiting for confirmation from NIST/NVD on a few things, and then will be in touch with Synk to sort out their database.

[XhmikosR]

@bardiharborow: is this sorted out?

[bardiharborow]

I still need to confirm that GitHub has updated their database. Perhaps @GeyseR could check on their end?

[GeyseR]

hey @bardiharborow,
the only thing I can confirm, that the initial alert has disappeared from our repositories.
I've contacted GitHub support several times after the updated in the NIST database, so I'm not sure was this issue resolved globally in GitHub.
Thanks for your help, btw

[XhmikosR]

OK, so I guess we can close this for now. If it's not fixed, let us know with a comment.