Bug 1197930 – VUL-0: CVE-2022-21948: paste: XSS on the image upload function

Bug 1197930 - (CVE-2022-21948) VUL-0: CVE-2022-21948: paste: XSS on the image upload function

(CVE-2022-21948)
Summary:	VUL-0: CVE-2022-21948: paste: XSS on the image upload function

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/327835/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-04-01 12:34 UTC by Victor Pereira
Modified:	2023-01-02 08:50 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2022-04-01 12:34:13 UTC

I would like to request a CVE for the paste https://github.com/openSUSE/paste

An attacker could upload a crafted SVG file and trigger a javascript execution. a PoC cann be found here: https://paste.opensuse.org/images/25863829.svg


The source code used in the PoC:

```
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("xss");
   </script>
</svg>
```

Please note that, because of missing security flags in the tokens, the script is able to access the user access token. Therefore an attack could weaponize this script to gain access to other resources protected behind the same OpenID/IDP.

Comment 2 Victor Pereira 2022-04-01 15:42:34 UTC

Actually the upstream of paste lives here: https://github.com/openSUSE/paste. 

The Stikked was forked into paste. The issue was introduced by SUSE, probably in the commit https://github.com/openSUSE/paste/commit/cfc881f91bf34c2b96878945dbca394c93361f2e, so Stikked isn't affected by this issue, just the paste code offered by openSUSE official git. IMO, that's kind of the same relationship between ImageMagick and GraphicsMagick.

We can see in the git log, that SUSE employees still pushing changes to the git repository and we still have this service up and running in our infrastructure, connected to our IDP. so I guess we can find the "maintainers" and we should definitely assign a CVE for that, otherwise at least disable the service and drop the package from github?

We definitely have an internal instance, running by infra. Strange that now, http://paste.suse.de/ leads me to our internal CA.


How should we proceed?

Comment 3 Victor Pereira 2022-04-01 16:00:15 UTC

it used to have its own "roadmap" of features https://michal.hrusecky.net/2010/08/opensuse-paste-update/

Comment 4 Marcus Meissner 2022-04-04 09:35:13 UTC

As it is a hosted app by us, CVE assignment guidance is mixed. and it might not get a CVE.

it seems unlikely it is used by others too.


It still needs to be fixed.

Comment 5 Victor Pereira 2022-04-04 10:38:33 UTC

> As it is a hosted app by us, CVE assignment guidance is mixed. and it might not > get a CVE.

Why shouldn't it get a CVE? An attacker could paste a link to the XSS page in any openSUSE platform and retrieve the session token that could be use in any other tool behind the same openID. For example, Adding the captured session token I was able to login in the forums.opensuse.org. In my evaluation, it would be a critical vulnerability based on CVSS scoring system https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:F/RL:U/RC:C

I don't think we can measure where any of our open source projects hosted on github are being used, right?

Comment 7 Johannes Segitz 2022-04-05 06:51:31 UTC

Please use CVE-2022-21948 for this

Comment 8 Gianluca Gabrielli 2022-04-05 11:11:15 UTC

Hi Jonas, would you like to take over this finding and write a patch for that? We currently have no maintainer for this repo [0], and most of the people who previously collaborated on it [1] are no longer part of SUSE. I know your contribution [1] was a small change, but maybe you're willing to help here.

[0] https://github.com/openSUSE/paste
[1] https://github.com/openSUSE/paste/graphs/contributors
[2] https://github.com/openSUSE/paste/commit/3e013c22eb640b4e00e80bb979dd3c7cf19e5af7

Comment 9 Gianluca Gabrielli 2022-04-05 13:49:59 UTC

I spoke with Jonas, and he's not able to take care of it. 
Do you know anyone with PHP skills that could be helpful here?

Comment 10 Johannes Segitz 2022-12-01 09:37:32 UTC

I opened https://github.com/openSUSE/paste/issues/15 in hope that this sees some activity.

Internal CRD: 2023-01-02 or earlier

Comment 11 Jacob Michalskie 2022-12-01 21:15:44 UTC

This is __not__ hosted by SUSE, it is hosted by miska, who as far as I know doesn't work for SUSE anymore. I wouldn't hold my breath for this getting fixed either, it's probably much more likely it will be taken down without a replacement. The issue for replacing it has been open on https://progress.opensuse.org/issues/15276 for over 6 years at this point

Comment 12 Johannes Segitz 2022-12-02 06:59:53 UTC

It is in the openSUSE orga and we use it within SUSE. I'll file a request to get it taken down

Comment 13 Jacob Michalskie 2022-12-29 19:03:57 UTC

paste.opensuse.org now uses a different codebase

Comment 14 Johannes Segitz 2023-01-02 08:50:24 UTC

thanks, then we close this for us and just track it upstream