Skip to main content

Security audit report

Vulnerability scanning​

PactFlow uses the following tools to ensure the On-Premises image is kept as secure as possible.

  • Bundler Audit
  • NPM audit
  • Trivy
  • Quay Security Scanner
  • Amazon ECR Image scanning

Reporting vulnerabilities​

To report a vulnerability, please contact security and ensure you include the relevant CVE, and the name and/or path to the vulnerable component.

Identifying the correct Ruby version​

Many scanning tools have trouble identifying the correct version of Ruby installed on an image because Ruby stores its gems in a directory path that uses the minor version of Ruby (eg. 2.7.0) rather than the patch version (eg. 2.7.6). This can be demonstrated by running the following command:

docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest environment

Example output (note the RUBY VERSION of 2.7.6 while the GEM PATHS use 2.7.0):

RubyGems Environment:
  - RUBYGEMS VERSION: 3.1.6
  - RUBY VERSION: 2.7.6 (2022-04-12 patchlevel 219) [x86_64-linux-musl]
  - INSTALLATION DIRECTORY: /usr/local/bundle
  - USER INSTALLATION DIRECTORY: /root/.gem/ruby/2.7.0
  - RUBY EXECUTABLE: /usr/local/bin/ruby
  - GIT EXECUTABLE:
  - EXECUTABLE DIRECTORY: /usr/local/bundle/bin
  - SPEC CACHE DIRECTORY: /root/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /usr/local/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86_64-linux-musl
  - GEM PATHS:
     - /usr/local/bundle
     - /root/.gem/ruby/2.7.0
     - /usr/local/lib/ruby/gems/2.7.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
     - "install" => "--no-document"
     - "update" => "--no-document"
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /usr/local/bundle/bin
     - /usr/local/sbin
     - /usr/local/bin
     - /usr/sbin
     - /usr/bin
     - /sbin
     - /bin

The difficulty that tools have in identifying the correct version of Ruby can lead to false positives being reported. Please check the version of Ruby before submitting a vulnerability report.

Identifying the installed gem versions​

To list the gems installed on the PactFlow image run:

docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest "list"

Known vulnerabilities​

CVE-2015-9284​

Component​

omniauth gem

CVE​

https://nvd.nist.gov/vuln/detail/CVE-2015-9284

Detectable in versions of PactFlow​

All.

Status​

Non-exploitable.

Notes​

This CVE is a CSRF vulnerability during sign in. This vulnerability is only exploitable if the initial request from the service provider to the identify provider is vulnerable to a CSRF attack because it uses a GET request without any CSRF protection. In PactFlow, this is not possible as PactFlow uses a POST request method with a CSRF token for the initial request to the IDP, as per the mitigation instructions here.

This can be observed by viewing the source of the login form.

<form action="https://example.com/auth/saml" method="post">
  <input type="hidden" name="authenticity_token" value="i_nnrcJziCKKNMb-FRQtxot2ZE6nsNpIhC_AtsK5Boc=">
  <button type="submit">SAML</button>
</form>

CVE-2022-2625​

Description​

Given certain prerequisites, this vulnerability allows arbitrary code to be run.

Component​

postgresql14-dev package for Alpine

CVE​

https://nvd.nist.gov/vuln/detail/CVE-2022-2625

Status​

Non-exploitable.

Notes​

This vulnerability applies to the PostgreSQL server only. The PactFlow Docker image only uses the PostgreSQL client, and hence is not affected by this vulnerability.

CVE-2022-37434​

Description​

A heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

Component​

zlib package for Alpine

CVE​

https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Affected versions of PactFlow​

All.

Status​

Unfixed.

Notes​

As of 24 August 2022, there is no fix available. A patch release of PactFlow will be put out as soon as a fix is available.

CVE-2021-41816​

Component​

The cgi library included in Ruby before 2.7.5 and 3.x before 3.0.3, and the cgi gem before 0.3.1.

CVE​

https://nvd.nist.gov/vuln/detail/CVE-2021-41816

Status​

False positive.

Notes​

This vulnerability only affects platforms that use a 4 byte long data type, typically Windows. The PactFlow base image uses 64 bit Alpine Linux, which uses an 8 byte long.

CVE-2020-36599​

Description​

lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

Component​

omniauth gem

Status​

Non-exploitable.

Detectable in versions of PactFlow​

Up to and including 1.19.2.

Fixed versions​

1.19.3 and later.

Notes​

PactFlow uses a custom failure endpoint so the vulnerable code is never executed.