Sonatype, Inc. (“Sonatype”) has established the Central Security Project with the goal of keeping the Maven ecosystem safe by providing a place for the security community to report security issues found in open source Maven components. If you believe that you have found such an issue, we encourage you to notify us, and we welcome the opportunity to work with you to resolve the issue promptly.
Sonatype is not responsible for resolving any security issues (each a “Vulnerability”) submitted to the Central Security Project. Instead, Sonatype will evaluate each submitted Vulnerability and, if Sonatype deems the Vulnerability valid, which it shall determine in its sole discretion, Sonatype will work with HackerOne to notify the identified project of the Vulnerability on your behalf. You agree that the identified project may contact you for additional information as it works to resolve the Vulnerability. Except to the extent that Sonatype itself manages the identified project, Sonatype is not responsible for any project maintainers’ actions or omissions, including with respect to your submitted Vulnerability. YOU HEREBY WAIVE ANY AND ALL CLAIMS YOU MAY HAVE AGAINST SONATYPE AND/OR THE CENTRAL SECURITY PROJECT FOR ANY ACTION TAKEN BY, OR OMISSION OF, SONATYPE AND/OR THE CENTRAL SECURITY PROJECT TEAM REGARDING ANY VULNERABILITY SUBMITTED BY YOU TO THE CENTRAL SECURITY PROJECT AND/OR SONATYPE.
Because HackerOne will report the Vulnerability to the identified project on your behalf, you agree to abide by the terms and conditions of HackerOne’s Vulnerability Disclosure Guidelines __(subject to the Central Security Project’s alternative disclosure timeline set out below).
Sonatype does not offer or collect any bounties or other rewards in connection with the Vulnerabilities submitted via the Central Security Project. Moreover, to the extent that a project associated with a Maven component offers a bounty or other reward for a Vulnerability that you submit through the Central Security Project, you may be waiving your right to claim the bounty or other reward for such submission. If you are interested in collecting a bounty or other reward offered by a specific Maven project, please refer to the guidelines provided by such project prior to submitting the Vulnerability to the Central Security Project.
Thank you for helping to keep the Maven ecosystem safe!
Below is a summary of how a disclosure would be made and evaluated via the Central Security Project process, using CVE-2018-8006 as an example. Note that the information related to this example is fairly complete, and that you may not be able to provide all of the information outlined below. That is ok - just be sure to provide as much as possible when making a submission.
Though we strive to provide accurate identification of each vulnerable component, we realize that this is not always easy depending on the technique of discovery. The more information that we receive about a reported Vulnerability, the better equipped we are to evaluate and properly analyze it. If all of the information below is not available for a submission that you would like to make, please provide as much information and detail as possible to assist in locating the root cause of the Vulnerability. The information below will assist our security research team in validating your disclosure:
Please precisely identify the project (group ID) and component (artifact ID). The Central Search __and the OSS Index Search __are available to help with this identification. Please provide the following information to the extent available to you:
groupId: org.apache.activemq (Note that this was found in the POM file __. Also note that if an element such as the
does not exist outside of the element, then it inherits from the parent and we use that one.)
artifactId: activemq-web-console (Note that this was found in the same POM file as the Group ID.)
version: 5.15.0 - 5.15.4 are affected (Supply any versions you know to be affected as a list or range. If you have only tested one or two versions that is fine, just list the ones that you know to be affected.)
Please provide a detailed description of the Vulnerability, how it was found, how it can be exploited, and how it harms package users.
Please provide any other details that you believe would be helpful when evaluating the Vulnerability including the following (to the extent available):
Source File and Line Number: https://github.com/apache/activemq/blob/04b60cb188932a91be9f59d6cda09290219d8a45/activemq- web-console/src/main/webapp/queues.jsp#L49 __and https://github.com/apache/activemq/blob/04b60cb188932a91be9f59d6cda09290219d8a45/activemq- web-console/src/main/webapp/queues.jsp#L57 __(In this case links to a publicly available online source repository were provided. This is the easiest way to convey this information. However, if this is not possible, you can just write this information out.)
Vulnerable File(s): activemq/activemq-web- console/src/main/webapp/queues.jsp and/or /admin/queue.jsp (Note that if the source file information was already given this field is often times not necessary. This field is useful when the either the source file is not given at all or the source file is different than than the class file. For example the vulnerability exists within an inner class.)
Vulnerability Introduction: https://github.com/apache/activemq/commit/0b767fcb0c622810c01e54bd51bc9680e36f81f5#diff- fc7835a6f811e2959e1af8fdae430b81R47 __and https://github.com/apache/activemq/commit/0b767fcb0c622810c01e54bd51bc9680e36f81f5#diff- fc7835a6f811e2959e1af8fdae430b81R55 __(Note that tracing the vulnerability back to its introduction can be somewhat time consuming, but is quite valuable. If you have the time and means to do so, it is greatly appreciated. Also note that in this case both instances were introduced in the same commit. If they were not, having the introduction links to both is ideal.)
Please provide a detailed description of the steps required in order to reproduce the Vulnerability along with all required references/steps/commands. Any sample/exploit code or other proof of concept that you can share would be very helpful.
Craft a link such as http://localhost:8161/admin/queues.jsp?QueueFilter=foo%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3bar __and visit it in your browser. This particular injected script will cause an"XSS" popup to appear.
If you're able to provide a patch with the fix, please post it in this section (or attach)
Please provide all available technical information about the stack where the Vulnerability was found, such as:
State all technical information about the stack where the vulnerability was found
macOS Sierra 10.12.6
openjdk version "11.0.1" 2018-10-16, OpenJDK Runtime Environment 18.9 (build 11.0.1+13), OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)
Chrome 70.0.3538.110 (Official Build) (64-bit)
Contact us if you want more information.