Here at StackStorm we take security very seriously. If you believe you found a security issue or a vulnerability, please report it to us using one of the methods described below.
Please do not report security issues using our public Github repository or Slack chat. Use the private mailing list described bellow.
If you believe you found a security issue or a vulnerability, please send a description of it to our private mailing list at moc.mrotskcatsnull@ofni
Once you've submitted an issue, you should receive an acknowledgment from one our of team members in 48 hours or less. If further action is necessary, you may receive additional follow-up emails.
We follow the industry de facto standard of Responsible Disclosure for handling security issues. This means we disclose the issue only after a fix for the issue has been developed and released.
We of course always give full credit to the person who was reported the issue.
The section below contains a list of security vulnerabilities identified in the past releases. Those issues have been fixed in the latest release so you are always encouraged to run the latest release available.
[CVE-2019-9580] Ability to bypass CORS protection mechanism via "null" origin value potentially leading to XSS
Affected versions: All the versions prior to 2.9.3 and 2.10.3
StackStorm API returned "null" value for "Access-Control-Allow-Origin" header when a client sent an unknown origin which was not configured / whitelisted in /etc/st2/st2.conf. As Mozilla’s documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.
Mitigation: This vulnerability has been fixed in StackStorm v2.9.3 and v2.10.3. You are strongly encouraged to upgrade to that release.
Bug fix announcement blog post: https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/
This issue was discovered and reported to us by Barak Tawily and Anna Tsibulskaya.
Affected versions: All the versions prior to 2.9.2 and 2.10.1
StackStorm API didn't perform correct access control checks in the "GET /v1/keys" API endpoint. This allowed authenticated users to retrieve user-scoped datastore items for arbitrary users by using "?scope=all" and "?user=<username>" query parameter filters.
NOTE: Enterprise edition with RBAC enabled is not affected. When RBAC is enabled, only users with admin role can utilize "?scope=all" and "?user=<username>" query parameter filter and retrieve / view values for any system user.
Mitigation: This vulnerability has been fixed in StackStorm v2.9.2 and v2.10.1. You are strongly encouraged to upgrade to that release.
Bug fix announcement blog post: https://stackstorm.com/2018/12/20/stackstorm-v2-9-2-and-v2-10-1-a-security-release/
This issue was discovered and reported to us by Alexandre Juma.