Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Single quotes can trip Hugo YAML unmarshaler. #62

Merged
merged 1 commit into from
Sep 5, 2022
Merged

fix: Single quotes can trip Hugo YAML unmarshaler. #62

merged 1 commit into from
Sep 5, 2022

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Sep 3, 2022
edited
Loading

I believe the Hugo unmarshaler is getting tripped up by mismatched single quotes.

Bad markdown (current)

---
title: "CVE-2022-2788"
aliases: [
	"/nvd/cve-2022-2788"
]

shortName: ""
date: 2022-08-19 12:21:15 +0000
category: vulnerabilities
draft: false

avd_page_type: nvd_page

date_published: 
date_modified: 

header_subtitle: ""

sidebar_additional_info_nvd: "https://nvd.nist.gov/vuln/detail/CVE-2022-2788"
sidebar_additional_info_cwe: "https://cwe.mitre.org/data/definitions/29.html"

cvss_nvd_v3_vector: "N/A"
cvss_nvd_v3_score: "0"
cvss_nvd_v3_severity: "N/A"

cvss_nvd_v2_vector: "N/A"
cvss_nvd_v2_score: "0"
cvss_nvd_v2_severity: "N/A"

redhat_v2_vector: "N/A"
redhat_v2_score: "0"
redhat_v2_severity: "N/A"

redhat_v3_vector: "N/A"
redhat_v3_score: "0"
redhat_v3_severity: "N/A"

ubuntu_vector: "N/A"
ubuntu_score: "N/A"
ubuntu_severity: "N/A"

---

https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06
### Weakness {.with_icon .weakness}
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '..Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.

### Affected Software {.with_icon .affected_software}
| Name | Vendor           | Start Version | End Version |
| ------------- |-------------|-----|----|
| Electric's_proficy |  |  | |


### References  {.with_icon .references}

<!--- Add Aqua content below --->

Notice the single quote in Emerson Electric's

image

But running hugo serve -D locally didn't yield any errors 🤷🏼. Maybe it has been fixed on newer versions, I have v0.82.0 locally as compared to the v0.81.0 GitHub Action uses to build. I didn't try downgrading my version to match the one we run.

Upgrading the Hugo Version would be another improvement we can make for AVD. PR here: #63 – but this can wait and might not be needed to unblock ourselves currently.

Signed-off-by: Simar [email protected]

@owenrumney owenrumney merged commit ffa86e8 into main Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@owenrumney owenrumney owenrumney approved these changes

@liamg liamg Awaiting requested review from liamg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simar7 @owenrumney