Security

Security

Here at StackStorm we take security very seriously. If you believe you found a security issue or a vulnerability, please report it to us using one of the methods described below.

Reporting a Vulnerability

Please do not report security issues using our public Github repository or Slack chat. Use the private mailing list described bellow.

If you believe you found a security issue or a vulnerability, please send a description of it to our private mailing list at moc.mrotskcatsnull@ofni

Once you've submitted an issue, you should receive an acknowledgment from one our of team members in 48 hours or less. If further action is necessary, you may receive additional follow-up emails.

How Are Vulnerabilities Handled

We follow the industry de facto standard of Responsible Disclosure for handling security issues. This means we disclose the issue only after a fix for the issue has been developed and released.


We of course always give full credit to the person who was reported the issue.

Security Vulnerabilities

The section below contains a list of security vulnerabilities identified in the past releases. Those issues have been fixed in the latest release so you are always encouraged to run the latest release available.


* [CVE-2022-44009] Improper RBAC check for K/V datastore access

Severity: High

Affected versions: 3.7.0

Description:

Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. To exploit this vulnerability, the RBAC sould be enabled with K/V permissions rules and attacker should have a StackStorm user account.

Mitigation: This vulnerability has been fixed in StackStorm v3.8.0. You are strongly encouraged to upgrade to that release.

Bug fix announcement blog post: /2022/12/v3-8-0-released/

Credits: This issue was discovered and reported to us by Guilherme Murad Pim.



* [CVE-2022-43706] Web UI XSS via Rules injection

Severity: High

Affected versions: All the versions prior to 3.8.0

Description:

Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.

Mitigation: This vulnerability has been fixed in StackStorm v3.8.0. You are strongly encouraged to upgrade to that release.

Bug fix announcement blog post: /2022/12/v3-8-0-released/

Credits: This issue was discovered and reported to us by Mohamed Elgllad.



* [CVE-2021-44657] Jinja template without sandbox environment potentially leading to executing arbitrary code 

Severity: High

Affected versions: All the versions prior to 3.6.0

Description:

In StackStorm versions prior to 3.6.0, the Jinja interpreter was not run in sandbox mode and thus allowed execution of unsafe system commands by the st2 users. In order to exploit the vulnerability the attacker must be logged to the stackstorm instance (CLI/API/Web UI/Workflows).

Mitigation: This vulnerability has been fixed in StackStorm v3.6.0. You are strongly encouraged to upgrade to that release.

Bug fix announcement blog post: /2021/12/16/stackstorm-v3-6-0-released/



* [CVE-2021-28667] Infinite loop in logging system potentially leading to DoS
Severity: High
Affected versions: All the versions prior to 3.4.1
Description:
StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).

Mitigation: This vulnerability has been fixed in StackStorm v3.4.1. You are strongly encouraged to upgrade to that release.
Bug fix announcement blog post: /2021/03/10/stackstorm-v3-4-1-security-fix/



* [CVE-2019-9580] Ability to bypass CORS protection mechanism via "null" origin value potentially leading to XSS
Severity: High
Affected versions: All the versions prior to 2.9.3 and 2.10.3
Description:
StackStorm API returned "null" value for "Access-Control-Allow-Origin" header when a client sent an unknown origin which was not configured / whitelisted in /etc/st2/st2.conf. As Mozilla’s documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.

Mitigation: This vulnerability has been fixed in StackStorm v2.9.3 and v2.10.3. You are strongly encouraged to upgrade to that release.
Bug fix announcement blog post: /2019/03/08/stackstorm-2-9-3-2-10-3/

Credits:
This issue was discovered and reported to us by Barak Tawily and Anna Tsibulskaya.



* [CVE-2018-20345] Invalid access control checks in "GET /v1/keys" API endpoint

Severity: Medium
Affected versions: All the versions prior to 2.9.2 and 2.10.1
Description:
StackStorm API didn't perform correct access control checks in the "GET /v1/keys" API endpoint. This allowed authenticated users to retrieve user-scoped datastore items for arbitrary users by using "?scope=all" and "?user=<username>" query parameter filters.
NOTE: Enterprise edition with RBAC enabled is not affected. When RBAC is enabled, only users with admin role can utilize "?scope=all" and "?user=<username>" query parameter filter and retrieve / view values for any system user.


Mitigation: This vulnerability has been fixed in StackStorm v2.9.2 and v2.10.1. You are strongly encouraged to upgrade to that release.
Bug fix announcement blog post: /2018/12/20/stackstorm-v2-9-2-and-v2-10-1-a-security-release/

Credits:

This issue was discovered and reported to us by Alexandre Juma.