Comments (1)
Thanks @stefanman125,
Yeah, am aware, although frustratingly the actual impact is quite unclear, all that's been said so far is really this:
[...] On PHP however, it lead to amazing results: a new
exploitation technique that affects the whole PHP ecosystem, and the
compromission of several applications.
Which is quite vague. My best guess it maybe PHP's filter URIs (which include iconv) can be abused here, which has been a recent source of issues, but that's just a uneducated guess.
I don't really have a set process when it comes to vague potential vulnerabilities in underlying requirement dependencies, so thought I'd just advise system via our mastodon/twitter channels, was just waiting for debian to get something together which it looks like they've now done in the last day (RHEL still lagging a bit I think, but rocky has a workaround guide).
With this kind of thing, I have struggled knowing whether we should send a notice via the BookStack security alert mailing list. I usually use this when advising about BookStack specific changes and vulnerabilities in the app code (including updates to patched vulnerable dependencies), but I don't know where the scope exactly lies beyond that. It's not uncommon for vulnerabilities to appear in system dependencies, to the point I think it would be hard to track and cause notification/alert fatigue to notify on all potential cases, but it could make sense to report where there's a actual likely widespread impact; it's just hard to evaluate that if very little detail is provided like the case here.
This CVE seems to have got more attention that others, but it's hard to know if that's because there's actually significant known risk or because the little information/hint provided has been extrapolated out for attractive headlines/videos.
from bookstack.
Related Issues (20)
- After upgrading from 23.x to 24.x, headers are not showing properly HOT 2
- Rate limit on password resets HOT 9
- migrate to 24.05 fails with "Class "Barryvdh\DomPDF\ServiceProvider" not found" HOT 4
- Attachment upload validation error message appears are shown as JSON
- PLEASE DELETE BUG - I found the problem
- bug in documentation - /dev/docs /visual-theme-system.md & corresponding YouTube video HOT 1
- php artisan cache:clear Make sure you have the appropriate permissions HOT 9
- Users are not shown any templates HOT 7
- Not Found error on /login URL HOT 9
- After version 24.02, comments on pages cannot add image content
- Suddenly get a 500 errors HOT 4
- Request for Comment: Process & scope for security announcements & CVEs HOT 7
- Wrong notification preferences URL in email HOT 2
- OIDC login with Authelia fails with v24.05 HOT 6
- Have a non-blank screen while exports run.
- Webhooks "send" based on book or shelf HOT 1
- Template Append to page content not working HOT 3
- Update custom alignment handing to also clean table `align` attributes
- Scheduled page publishing HOT 4
- Tiered permissions - Managers can promote employees to managers, but not to admins. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bookstack.