A formidable developer retaliates against the assignment of a “critical” CVE vulnerability

“This false accusation has spoiled the exit of one of our services”, laments the official

The developer of the Formidable project fought against the assignment of a CVE vulnerability entry by Miter Corporation.

Formidable is a popular analyzer, available on GitHub, for use during production and in serverless environments. The Node.js module and software library are open source.

The “vulnerability” was made public in May and was assigned as CVE-2022-29622 with a “critical” CVSS severity score of 9.8, close to the highest possible. An “exploit” video was also uploaded to YouTube.

Downloads by design

CVE-2022-29622 is described as a dangerous arbitrary file upload flaw in version 3.1.4 of Formidable, exploitable by attackers to “execute arbitrary code via a specially crafted filename”.

However, this classification, as well as the CVE assignment, is disputed – and this has been acknowledged in the CVE documentation.

“Some third parties dispute this issue because the product has common use cases where downloading arbitrary files is the desired behavior,” NVD’s CVE filing says.

“Additionally, there are configuration options in all versions that can change the default file handling behavior.”

DO NOT MISS Dozens of High-Traffic Websites Vulnerable to ‘Pre-Account Takeover’, Study Finds

In a Medium blog post published on June 3, Project Formidable maintainer and Guardara co-founder Zsolt Imre posted an update to a previous post examining the alleged bug, saying he was “still convinced that the Formidable library has nothing to do with these problems”.

Imre noted that a feature allowing arbitrary file downloads is not necessarily a vulnerability, depending on the use case and whether or not code execution follows a file download.

“The code must be executed for the attacker to be able to interact with the web shell,” the developer commented. “So the attacker needs to find a process that he can convince to touch the downloaded file.

“It’s not just any kind of ‘touch’! In fact, it must be executed. As you can see, context is key here.

“Invalid Claims”

Imre went on to say that the claim that the vulnerability “allows attackers to execute arbitrary code through a specially crafted filename” is incorrect, because “the only thing that may be vulnerable to this vulnerability is something that executes arbitrary code”, adding that the problem is out of scope in the case of the software library.

The developer said that it would be more accurate to say that Formidable allows downloading of arbitrary files by default, but that doesn’t mean the feature is a vulnerability on its own.

If Fomidable were vulnerable to arbitrary code execution, it should either run downloaded files or allow content to run “automatically or on demand,” Imre said.

Overall, when Formidable is a standalone attack vector, it doesn’t seem like the vulnerability is valid, according to Imre. Although the maintainer claims that you could tell there was a bug or poorly implemented feature at play, this does not constitute a vulnerability or risk to users.

Learn about the latest hacking news

“Formidable is falsely accused of being vulnerable,” Imre says. “This false accusation spoiled the release of one of our departments for no good reason.”

Talk to The daily sip, the maintainer said he had been in contact with Miter to request the removal of CVE. Miter referred Imre to a comment from a Formidable contributor, “GrosSacASac”, in which they mentioned “the conditions for being vulnerable”.

However, Imre argued that Miter read the comment “the wrong way and GrosSacASac was not referring to the library being vulnerable under certain conditions, but to an application that uses the library in a certain way.”

The maintainer has yet to receive any communication from the organization and has posted questions for GrosSacASac to answer, in hopes of clarifying the situation.

Imre commented:

If someone had taken the time to look at the code and see what the default behavior and configuration of the library was, it would become clear that GrosSacASac was not talking about the awesome library in this comment.

Unfortunately, he/she has not yet replied. I don’t believe Miter will investigate this matter further until GrosSacASac responds. Even then, as you can see, Miter apparently operates on opinion rather than fact, so we can only hope for the best.

Imre also posted a “challenge” on GitHub to further test Formidable and determine if the CVE was correctly assigned or not.

The daily sip has contacted Miter and we will update it when we get back to you.

ARCHIVES CVE program celebrates 20th anniversary as recorded security vulnerabilities soar

Comments are closed.