-
Notifications
You must be signed in to change notification settings - Fork 179
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' into 'master'
Merge 'develop' into 'master' See merge request passbolt/passbolt-help!408
- Loading branch information
Showing
30 changed files
with
856 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| --- | ||
| title: PBL-11 Security audit results | ||
| date: 2024-04-15 00:00:00 Z | ||
| description: PBL-11 Security audit results | ||
| categories: [incidents] | ||
| layout: incidents | ||
| slug: PBL-11 Security audit results | ||
| permalink: /incidents/20240415_PBL-11-security-audit-results | ||
| --- | ||
|
|
||
| {% include layout/row_start.html %} | ||
| {% include layout/col_start.html column="7" %} | ||
|
|
||
| ## Introduction | ||
|
|
||
| In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application's native layer. This review revealed a total of five findings—four security vulnerabilities and one general weakness—which were all solved prior to the v1.0 release. | ||
|
|
||
| Quotes from the conclusion of the report: “Upon completion of this security audit, Cure53 gained a strong impression of the security premise employed by the Passbolt team. The quality of the codebase was generally impressive, while the architecture and frameworks employed generally installed resilient design paradigms.” | ||
|
|
||
| In addition to the detailed findings of this audit, the security incident section also houses separate reports that examine the browser extensions. Interestingly, some of the code of the extension is also used in the Desktop application, and will give more details on other components of this application. | ||
|
|
||
| All the issues have been fixed or mitigations have been implemented as of 11th April 2024. | ||
|
|
||
| You can read more about the security audit by [reading the full report](/assets/files/PBL-11-report.pdf). | ||
|
|
||
| A big thank you from the Passbolt team to Cure53 for their collaborative spirit and expertise shared during this project. | ||
|
|
||
| ## Vulnerabilities summary | ||
|
|
||
| <table class="table-parameters"> | ||
| <thead> | ||
| <tr> | ||
| <th>ID</th> | ||
| <th>Issue name</th> | ||
| <th>Severity</th> | ||
| <th>Status</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody> | ||
| <tr> | ||
| <td>PBL-11-001</td> | ||
| <td>Insecure Regex pattern allows canNavigate bypass</td> | ||
| <td>Medium</td> | ||
| <td>Mitigated in v1.0</td> | ||
| </tr> | ||
| <tr> | ||
| <td>PBL-11-002</td> | ||
| <td>PasswordVault can be accessed by Desktop apps</td> | ||
| <td>Low</td> | ||
| <td>Mitigated in v1.0</td> | ||
| </tr> | ||
| <tr> | ||
| <td>PBL-11-003</td> | ||
| <td>JS execution by modifying LocalFolder Resources</td> | ||
| <td>Low</td> | ||
| <td>Mitigated in v1.0</td> | ||
| </tr> | ||
| <tr> | ||
| <td>PBL-11-004</td> | ||
| <td>Insecure CSP Configuration in renderers</td> | ||
| <td>Low</td> | ||
| <td>Mitigated in v1.0</td> | ||
| </tr> | ||
| <tr> | ||
| <td>PBL-11-005</td> | ||
| <td>Arbitrary requestId used as topic in background</td> | ||
| <td>Medium</td> | ||
| <td>Mitigated in v1.0</td> | ||
| </tr> | ||
| </tbody> | ||
| </table> | ||
|
|
||
| {% include date/updated.html %} | ||
|
|
||
| {% include layout/col_end.html %} | ||
| {% include layout/col_start.html column="4 last push1" %} | ||
|
|
||
| {% include layout/col_end.html %} | ||
| {% include layout/row_end.html %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| <?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.3.1">Jekyll</generator><link href="https://help.passbolt.com/feed.xml" rel="self" type="application/atom+xml" /><link href="https://help.passbolt.com/" rel="alternate" type="text/html" /><updated>2024-04-12T09:45:21+02:00</updated><id>https://help.passbolt.com/feed.xml</id><title type="html">Passbolt | Help</title><subtitle>The help site for passbolt, the open source password manager for teams. This site contains frequently asked questions, article to troubleshoot common issues, installation tutorials, blueprints for developers, and more!</subtitle></feed> | ||
| <?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.3.1">Jekyll</generator><link href="https://help.passbolt.com/feed.xml" rel="self" type="application/atom+xml" /><link href="https://help.passbolt.com/" rel="alternate" type="text/html" /><updated>2024-04-15T11:33:41+02:00</updated><id>https://help.passbolt.com/feed.xml</id><title type="html">Passbolt | Help</title><subtitle>The help site for passbolt, the open source password manager for teams. This site contains frequently asked questions, article to troubleshoot common issues, installation tutorials, blueprints for developers, and more!</subtitle></feed> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.