Central Security Project
External Program
Submit bugs directly to this organization
Central Security Project
External Program
Submit bugs directly to this organization
Sonatype, Inc. (“Sonatype”) has established the Central Security Project with the goal of keeping the Maven ecosystem safe by providing a place for the security community to report security issues found in open source Maven components (each a “Vulnerability”).
If you believe that you have found a Vulnerability, we encourage you to notify us, and we welcome the opportunity to work with you to resolve the issue promptly. Working together, we hope to make the Maven ecosystem better for everyone who uses it.
A Vulnerability is submitted to the Central Security Project:
Thank you for helping to keep the Maven ecosystem safe!
Below is a summary of how a disclosure would be made and evaluated via the Central Security Project process, using CVE-2018-8006 as an example. Note that the information related to this example is fairly complete, and that you may not be able to provide all of the information outlined below. That is ok - just be sure to provide as much as possible when making a submission.
Though we strive to provide accurate identification of each vulnerable component, we realize that this is not always easy depending on the technique of discovery. The more information that we receive about a reported Vulnerability, the better equipped we are to evaluate and properly analyze it. If all of the information below is not available for a submission that you would like to make, please provide as much information and detail as possible to assist in locating the root cause of the Vulnerability. The information below will assist our security research team in validating your disclosure:
Please precisely identify the project (group ID) and component (artifact ID). The Central Search and the OSS Index Search are available to help with this identification. Please provide the following information to the extent available to you:
- groupId: org.apache.activemq (Note that this was found in the POM file. Also note that if an element such as the does not exist outside of the element, then it inherits from the parent and we use that one.)
Please provide a detailed description of the Vulnerability, how it was found, how it can be exploited, and how it harms package users.
The
QueueFilterparameter on the /admin/queues.jsp page reflects back in the response to the browser without any sanitization. An attacker can craft a link with JavaScript injected into the parameter's value, which will execute in the user's browser. The executed script can steal a user's session cookie, modify the page in an effort to phish for information, or any number of other things that can affect confidentiality and integrity.
Please provide any other details that you believe would be helpful when evaluating the Vulnerability including the following (to the extent available):
- Source File and Line Number: https://github.com/apache/activemq/blob/04b60cb188932a91be9f59d6cda09290219d8a45/activemq-web-console/src/main/webapp/queues.jsp#L49 and https://github.com/apache/activemq/blob/04b60cb188932a91be9f59d6cda09290219d8a45/activemq-web-console/src/main/webapp/queues.jsp#L57 (In this case links to a publicly available online source repository were provided. This is the easiest way to convey this information. However, if this is not possible, you can just write this information out.)
Please provide a detailed description of the steps required in order to reproduce the Vulnerability along with all required references/steps/commands. Any sample/exploit code or other proof of concept that you can share would be very helpful.
Craft a link such as http://localhost:8161/admin/queues.jsp?QueueFilter=foo%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3bar and visit it in your browser. This particular injected script will cause an "XSS" popup to appear.
If you're able to provide a patch with the fix, please post it in this section (or attach)
Please provide all available technical information about the stack where the Vulnerability was found, such as:
State all technical information about the stack where the vulnerability was found
Sonatype is not responsible for resolving any Vulnerability submitted to the Central Security Project. Instead, Sonatype will evaluate each submitted Vulnerability and, if Sonatype deems the Vulnerability valid, which it shall determine in its sole discretion, Sonatype will work with HackerOne to notify the identified project of the Vulnerability on your behalf. You agree that the identified project may contact you for additional information as it works to resolve the Vulnerability. Except to the extent that Sonatype itself manages the identified project, Sonatype is not responsible for any project maintainers’ actions or omissions, including with respect to your submitted Vulnerability. YOU HEREBY WAIVE ANY AND ALL CLAIMS YOU MAY HAVE AGAINST SONATYPE AND/OR THE CENTRAL SECURITY PROJECT FOR ANY ACTION TAKEN BY, OR OMISSION OF, SONATYPE AND/OR THE CENTRAL SECURITY PROJECT TEAM REGARDING ANY VULNERABILITY SUBMITTED BY YOU TO THE CENTRAL SECURITY PROJECT AND/OR SONATYPE.
Because HackerOne will report the Vulnerability to the identified project on your behalf, you agree to abide by the terms and conditions of HackerOne’s Vulnerability Disclosure Guidelines (subject to the Central Security Project’s alternative disclosure timeline set out above).
Sonatype does not offer or collect any bounties or other rewards in connection with the Vulnerabilities submitted via the Central Security Project. Moreover, to the extent that a project associated with a Maven component offers a bounty or other reward for a Vulnerability that you submit through the Central Security Project, you may be waiving your right to claim the bounty or other reward for such submission. If you are interested in collecting a bounty or other reward offered by a specific Maven project, please refer to the guidelines provided by such project prior to submitting the Vulnerability to the Central Security Project.