‘This false accusation messed up the release of one of our services,’ security pro laments
A researcher working with the Formidable project has fought against the allocation of a CVE vulnerability entry by Mitre Corporation.
Formidable is a popular parser, available on GitHub, for use during production and in serverless environments. The Node.js module and software library is open source.
The ‘vulnerability’ was made public in May and was assigned as CVE-2022–29622 with a ‘critical’ CVSS severity score of 9.8, close to the highest possible. An ‘exploit’ video has also been uploaded onto YouTube.
CVE-2022-29622 is described as a dangerous arbitrary file upload flaw in Formidable version 3.1.4, exploitable by attackers to “execute arbitrary code via a crafted filename”.
However, this classification, as well as the CVE assignment, is in dispute – and this has been acknowledged in the CVE documentation.
“Some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior,” NVD’s CVE record says.
“Also, there are configuration options in all versions that can change the default behavior of how files are handled.”
In a Medium blog post published on June 3, researcher and co-founder of Guardara, Zsolt Imre, published an update to a previous post examining the purported bug, saying he is “still confident that the Formidable library has nothing to do with these issues”.
Imre noted that a feature allowing arbitrary file uploads is not necessarily a vulnerability, depending on the use case and whether or not code execution follows a file upload.
“The code must be executed for the attacker to be able to interact with the web shell,” the researcher commented. “So, the attacker has to find a process he/she can convince to touch the uploaded file.
“It’s not just any kind of ‘touching’! It actually has to be executed. As you can see, context is critical here.”
Imre went on to say that the claim the vulnerability “allows attackers to execute arbitrary code via a crafted filename” is incorrect, as “the only thing that can be vulnerable to this vulnerability is something that does execute arbitrary code,” adding that the issue is out of scope in the software library’s case.
The researcher said that it would be more accurate to say that Formidable allows the upload of arbitrary files by default, but this does not mean this functionality is a vulnerability in itself.
If Fomidable was vulnerable to arbitrary code execution, it must either execute the uploaded files or permit content to be executed either “automatically or on request”, Imre said.
Overall, when Formidable is a standalone attack vector, it does not seem that the vulnerability is valid, according to Imre. While the security pro says that you could argue there was a bug or poorly implemented feature in play, this does not constitute a vulnerability or risk to users.
“Formidable is falsely accused of being vulnerable,” Imre says. “This false accusation messed up the release of one of our services for no good reason.”
Speaking to The Daily Swig, Imre said he has been in touch with Mitre to request CVE removal. Mitre referred Imre back to a comment made by a Formidable contributor, ‘GrosSacASac’, in which they mentioned “conditions to be vulnerable”.
However, Imre has argued that Mitre read the comment “the wrong way and GrosSacASac was not referring to the library being vulnerable under certain conditions, but an application that uses the library in a certain way”.
The security pro is yet to receive further communication from the organization and has published questions for GrosSacASac to answer, in the hopes of clarifying the situation.
If anyone had taken the time to look at the code and see what the default behaviour and configuration of the library was, it would become crystal clear GrosSacASac was not talking about the formidable library in that comment.
Unfortunately, he/she did not respond yet. I do not believe Mitre will do any further investigation on this matter until GrosSacASac responds. Even in that case, as you can see, Mitre seemingly operates based on opinion rather than facts, so we can only hope for the best.
Imre has also published a ‘challenge’ on GitHub for further testing of Formidable and whether or not the CVE was correctly assigned.
Discussing the issue, a CVE spokesperson told The Daily Swig: “The CVE program has a documented dispute and appeal process. The CVE Team reviews all disputes. Disputed records are marked as **DISPUTED** . The public record is reflected to include the associated reasoning.”
This article has been updated to include comment from Mitre.