github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/expected_response_multi_dir.md

github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/expected_response_multi_dir.md (about)

     1  <div align='center'>
     2  
     3  [![🚨 Frogbot scanned this pull request and found the below:](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
     4  
     5  </div>
     6  
     7  
     8  ## 📦 Vulnerable Dependencies
     9  ### ✍️ Summary
    10  <div align='center'>
    11  
    12  | SEVERITY                | CONTEXTUAL ANALYSIS                  | DIRECT DEPENDENCIES                  | IMPACTED DEPENDENCY                  | FIXED VERSIONS                  | CVES                  |
    13  | :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
    14  | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)<br>    High | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.0.5] | CVE-2022-3517 |
    15  | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)<br>    High | Undetermined | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.4.0] | CVE-2022-29217 |
    16  
    17  </div>
    18  
    19  <details>
    20  <summary> <b>🔬 Research Details</b> </summary>
    21  <br>
    22  
    23  <details>
    24  <summary> <b>[ CVE-2022-3517 ] minimatch 3.0.4</b> </summary>
    25  <br>
    26  
    27  
    28  **Description:**
    29  A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
    30  
    31  </details>
    32  
    33  <details>
    34  <summary> <b>[ CVE-2022-29217 ] pyjwt 1.7.1</b> </summary>
    35  <br>
    36  
    37  
    38  **Description:**
    39  [PyJWT](https://pypi.org/project/PyJWT) is a Python implementation of the RFC 7519 standard (JSON Web Tokens). [JSON Web Tokens](https://jwt.io/) are an open, industry standard method for representing claims securely between two parties. A JWT comes with an inline signature that is meant to be verified by the receiving application. JWT supports multiple standard algorithms, and the algorithm itself is **specified in the JWT token itself**.
    40  
    41  The PyJWT library uses the signature-verification algorithm that is specified in the JWT token (that is completely attacker-controlled), however - it requires the validating application to pass an `algorithms` kwarg that specifies the expected algorithms in order to avoid key confusion. Unfortunately -  a non-default value `algorithms=jwt.algorithms.get_default_algorithms()` exists that allows all algorithms.
    42  The PyJWT library also tries to mitigate key confusions in this case, by making sure that public keys are not used as an HMAC secret. For example, HMAC secrets that begin with `-----BEGIN PUBLIC KEY-----` are rejected when encoding a JWT.
    43  
    44  It has been discovered that due to missing key-type checks, in cases where -
    45  1. The vulnerable application expects to receive a JWT signed with an Elliptic-Curve key (one of the algorithms `ES256`, `ES384`, `ES512`, `EdDSA`)
    46  2. The vulnerable application decodes the JWT token using the non-default kwarg `algorithms=jwt.algorithms.get_default_algorithms()` (or alternatively, `algorithms` contain both an HMAC-based algorithm and an EC-based algorithm)
    47  
    48  An attacker can create an HMAC-signed (ex. `HS256`) JWT token, using the (well-known!) EC public key as the HMAC key. The validating application will accept this JWT token as a valid token.
    49  
    50  For example, an application might have planned to validate an `EdDSA`-signed token that was generated as follows -
    51  ```python
    52  # Making a good jwt token that should work by signing it with the private key
    53  encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="EdDSA")
    54  ```
    55  An attacker in posession of the public key can generate an `HMAC`-signed token to confuse PyJWT - 
    56  ```python
    57  # Using HMAC with the public key to trick the receiver to think that the public key is a HMAC secret
    58  encoded_bad = jwt.encode({"test": 1234}, pub_key_bytes, algorithm="HS256")
    59  ```
    60  
    61  The following vulnerable `decode` call will accept BOTH of the above tokens as valid - 
    62  ```
    63  decoded = jwt.decode(encoded_good, pub_key_bytes, 
    64  algorithms=jwt.algorithms.get_default_algorithms())
    65  ```
    66  
    67  **Remediation:**
    68  ##### Development mitigations
    69  
    70  Use a specific algorithm instead of `jwt.algorithms.get_default_algorithms`.
    71  For example, replace the following call - 
    72  `jwt.decode(encoded_jwt, pub_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())`
    73  With -
    74  `jwt.decode(encoded_jwt, pub_key_bytes, algorithms=["ES256"])`
    75  
    76  </details>
    77  
    78  </details>
    79  
    80  
    81  
    82  ---
    83  <div align='center'>
    84  
    85  [🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
    86  
    87  </div>