Fusion Registry 10.7.0 OWASP Analysis

From Fusion Registry Wiki
Revision as of 01:37, 24 May 2021 by Plazarou (talk | contribs) (Overview of Report)
Jump to navigation Jump to search

Overview

The following details the OWASP analysis of Fusion Registry Enterprise Edition version 10.7.0

Environment

The OWASP command-line client was run against the Fusion Registry version 10.7.0

  • OWASP Cli version: dependency-check version: 6.1.6
  • Java version "1.8.0_172"
  • Operating System: Windows 10.0.19042.928
  • Date performed: 10th May 2021

Overview of Report

The report revealed 5 vulnerable dependencies:

1. bootstrap.bundle.min.js - version 4.0.0 - bundled with the Data Browser

Issue: This is a cross-site scripting issue rated as severity "MEDIUM".

Action: Since the Data Browser is now deprecated and will not ship with Fusion Registry 11, no action will be taken.

2. jquery.min.js - version 3.3.0 - bundled with the Data Browser

Issue: mishandling of jQuery.extend could allow unsanitized source objects to extend the native Object.prototype, rated as severity "MEDIUM".

Action: Since the Data Browser is now deprecated and will not ship with Fusion Registry 11, no action will be taken.

3. bootstrap.min.js - version 3.3.5

Issue: This is a cross-site scripting issue rated as severity "MEDIUM".

Action: Bootstrap is a fundamental part of the User Interface of Fusion Registry. The newest releases (versions 4 and 5) require major changes to almost all pages within Fusion Registry. At the minute this is far too much of an undertaking, so Bootstrap has not been updated. At some point in the future the Fusion Registry User Interface will be updated, and this vulnerability will be addressed then.

4. commons-io version 2.6

Issue: Vulnerability within the method FileNameUtils.normalize severity "MEDIUM".

Action: The Fusion Registry does not use this method in the commons-io framework.

5. spring-rabbit - version 2.3.6

Issue: RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header, rated as severity "MEDIUM".

Action: This is the latest version of the RabbitMQ library produced by Spring. Until a new release is available, this is the version supplied with Fusion Registry. We shall keep watch of when Spring make a newer package available. When the issue is addressed, we shall release a future release of the Registry with the updated dependency.

Attached Report

A PDF of the OWASP dependency report can be obtained here .