add plugin cve-2021-21985 #61
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
@googlebot I signed it! |
| type = PluginType.VULN_DETECTION, | ||
| name = "CVE-2021-21985", | ||
| version = "0.1", | ||
| description = "Spring Boot Actuator Logview Arbitrary file reading", |
There was a problem hiding this comment.
This description is wrong, seems like a copy / paste error
There was a problem hiding this comment.
Should be something like "vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in"
| @Override | ||
| public DetectionReportList detect( | ||
| TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) { | ||
| logger.atInfo().log("CVE-2021-21234 starts detecting."); |
There was a problem hiding this comment.
CVE-Number (CVE-2021-21234) is wrong
|
@h0ng10 i have resubmitted it once and fixed the two problems you mentioned. |
tooryx
added
the
Contributor queue
|
Hi @hh-hunter, thank you for your contribution! Can you please submit a testbed for this detector in the https://github.com/google/security-testbeds repo? |
|
Hi @hh-hunter, There is a bunch of PRs that were lingering around for a while. I don't think they were ever accepted in the PRP, but given that you were a good contributor over the years, there will probably be a group bonus for all of these requests. ~tooryx |
Okay, I will devote some time to deal with this matter in the near future |
|
@hh-hunter We're trying to cleanup all open tickets, and it appears that the following PRs are waiting on you to provide the testbeds (which are now required and mandatory): #90 add plugin cve-2019-17382 Please let us know if you plan to work on those. Thanks! |
I am working on completing these issues, and since I am on vacation now, the response may be slow.Some topics are too old. When I submitted this, I submitted the relevant environment in my warehouse. You can use this environment for testing first. I will migrate to google/security-testbeds later. Thank you for your understanding. |
|
@ikkisoft I have submitted the environment for CVE-2019-15107, google/security-testbeds#118 and I am gradually starting on the others. Please let me know if you still need anything, otherwise I will prioritize other PRs with rewards. Most of these earlier PRs have already been closed, it seems like you only need to submit the environment. |
|
@hh-hunter Great. We will start reviewing that one so that we can slowly catch up with all. We have a few resources allocate to this so it should speed up the overall reviews. Thanks again for your contributions! |
|
@ikkisoft I have just solved a new environment. google/security-testbeds#119 ,and i noticed that some PRs do not have an environment for testing deployment on Docker or k8s, unless they use a virtual machine like the other one. Or use a similar honeypot as an alternative, how should I proceed?
I will prepare to perfect the environment for cve-2021-24499, cve-2021-21234, and cve-2021-39316 next. For the others, due to some issues, I don't know how to start. If you have better suggestions, please let me know. |
|
Whenever possible, you should provide a docker container. If there is no containerized version, but you can make one (e.g. OSS product), we expect contributors to build the container. For proprietary software with no containerized version, we expect a detailed README with instructions on how to setup the vulnerable / not-vulnerable testbed. This is required as we need to verify the correct operation of the plugin. Regarding old software, we expect a reasonable effort to attempt to find the correct version using mirrors and other websites. Without a testbed, we might not be able to accept the contribution. |
I understand that I will prioritize solving those related to open source and container environments. The rest, I will contact you as the situation arises, as many are outdated and the current internet is not fully open. I cannot guarantee that the installation packages can still be obtained now, but they were definitely accessible at that time. |
|
Hi @hh-hunter, I will close this PR. Unfortunately the testbed is not available anymore and setting up the environment to reproduce it it too time consuming. We will prioritize your other contributions. |
5 participants
No description provided.