Bug 1197930 - (CVE-2022-21948) VUL-0: CVE-2022-21948: paste: XSS on the image upload function
VUL-0: CVE-2022-21948: paste: XSS on the image upload function
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-04-01 12:34 UTC by Victor Pereira
Modified: 2023-01-02 08:50 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2022-04-01 12:34:13 UTC
I would like to request a CVE for the paste https://github.com/openSUSE/paste

An attacker could upload a crafted SVG file and trigger a javascript execution. a PoC cann be found here: https://paste.opensuse.org/images/25863829.svg

The source code used in the PoC:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">

Please note that, because of missing security flags in the tokens, the script is able to access the user access token. Therefore an attack could weaponize this script to gain access to other resources protected behind the same OpenID/IDP.
Comment 2 Victor Pereira 2022-04-01 15:42:34 UTC
Actually the upstream of paste lives here: https://github.com/openSUSE/paste. 

The Stikked was forked into paste. The issue was introduced by SUSE, probably in the commit https://github.com/openSUSE/paste/commit/cfc881f91bf34c2b96878945dbca394c93361f2e, so Stikked isn't affected by this issue, just the paste code offered by openSUSE official git. IMO, that's kind of the same relationship between ImageMagick and GraphicsMagick.

We can see in the git log, that SUSE employees still pushing changes to the git repository and we still have this service up and running in our infrastructure, connected to our IDP. so I guess we can find the "maintainers" and we should definitely assign a CVE for that, otherwise at least disable the service and drop the package from github?

We definitely have an internal instance, running by infra. Strange that now, http://paste.suse.de/ leads me to our internal CA.

How should we proceed?
Comment 3 Victor Pereira 2022-04-01 16:00:15 UTC
it used to have its own "roadmap" of features https://michal.hrusecky.net/2010/08/opensuse-paste-update/
Comment 4 Marcus Meissner 2022-04-04 09:35:13 UTC
As it is a hosted app by us, CVE assignment guidance is mixed. and it might not get a CVE.

it seems unlikely it is used by others too.

It still needs to be fixed.
Comment 5 Victor Pereira 2022-04-04 10:38:33 UTC
> As it is a hosted app by us, CVE assignment guidance is mixed. and it might not > get a CVE.

Why shouldn't it get a CVE? An attacker could paste a link to the XSS page in any openSUSE platform and retrieve the session token that could be use in any other tool behind the same openID. For example, Adding the captured session token I was able to login in the forums.opensuse.org. In my evaluation, it would be a critical vulnerability based on CVSS scoring system https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:F/RL:U/RC:C

I don't think we can measure where any of our open source projects hosted on github are being used, right?
Comment 7 Johannes Segitz 2022-04-05 06:51:31 UTC
Please use CVE-2022-21948 for this
Comment 8 Gianluca Gabrielli 2022-04-05 11:11:15 UTC
Hi Jonas, would you like to take over this finding and write a patch for that? We currently have no maintainer for this repo [0], and most of the people who previously collaborated on it [1] are no longer part of SUSE. I know your contribution [1] was a small change, but maybe you're willing to help here.

[0] https://github.com/openSUSE/paste
[1] https://github.com/openSUSE/paste/graphs/contributors
[2] https://github.com/openSUSE/paste/commit/3e013c22eb640b4e00e80bb979dd3c7cf19e5af7
Comment 9 Gianluca Gabrielli 2022-04-05 13:49:59 UTC
I spoke with Jonas, and he's not able to take care of it. 
Do you know anyone with PHP skills that could be helpful here?
Comment 10 Johannes Segitz 2022-12-01 09:37:32 UTC
I opened https://github.com/openSUSE/paste/issues/15 in hope that this sees some activity.

Internal CRD: 2023-01-02 or earlier
Comment 11 Jacob Michalskie 2022-12-01 21:15:44 UTC
This is __not__ hosted by SUSE, it is hosted by miska, who as far as I know doesn't work for SUSE anymore. I wouldn't hold my breath for this getting fixed either, it's probably much more likely it will be taken down without a replacement. The issue for replacing it has been open on https://progress.opensuse.org/issues/15276 for over 6 years at this point
Comment 12 Johannes Segitz 2022-12-02 06:59:53 UTC
It is in the openSUSE orga and we use it within SUSE. I'll file a request to get it taken down
Comment 13 Jacob Michalskie 2022-12-29 19:03:57 UTC
paste.opensuse.org now uses a different codebase
Comment 14 Johannes Segitz 2023-01-02 08:50:24 UTC
thanks, then we close this for us and just track it upstream