Описание
Apprise vulnerable to regex injection with IFTTT Plugin
Impact
Anyone publicly hosting the Apprise library and granting them access to the IFTTT notification service.
Patches
Update to Apprise v0.9.5.1
The patch to the problem was performed here.
Workarounds
Alternatively, if upgrading is not an option, you can safely remove the following file:
apprise/plugins/NotifyIFTTT.py
The above will eliminate the ability to use IFTTT, but everything else will work smoothly.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Apprise
- Email me at lead2gold@gmail.com
Additional Credit
Github would not allow me to additionally credit Rasmus Petersen, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited
Additional Notes:
- Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)
Ссылки
- https://github.com/caronc/apprise/security/advisories/GHSA-qhmp-h54x-38qr
- https://nvd.nist.gov/vuln/detail/CVE-2021-39229
- https://github.com/caronc/apprise/pull/436
- https://github.com/caronc/apprise/commit/e20fce630d55e4ca9b0a1e325a5fea6997489831
- https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359
- https://github.com/caronc/apprise/releases/tag/v0.9.5.1
- https://github.com/pypa/advisory-database/tree/main/vulns/apprise/PYSEC-2021-327.yaml
Пакеты
apprise
<= 0.9.4
0.9.5.1
Связанные уязвимости
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a denial of service attack on an inefficient regular expression. The vulnerable regular expression is [here](https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359). The problem has been patched in release version 0.9.5.1. Users who are unable to upgrade are advised to remove `apprise/plugins/NotifyIFTTT.py` to eliminate the service.