Critical Vulnerabilities - Use of outdated libexpat library
tomtom215 opened this issue · comments
Prerequisites
The issue tracker is used to report bugs and request new features, NOT to ask questions.
Questions should be posted to the users mailing list which can be accessed at
https://ironpython.groups.io/g/users.
- Are you running the latest version?
- Are you reporting to the correct repository?
- Did you perform a cursory search?
Description
Critical vulnerabilities in ironpython2 due to the use of the outdated libexpat version. From the release notes from libexpat compared to the results in our security scanner, it looks like ironpython2 is still using 2.4.3
Steps to Reproduce
Scanned the latest release zip package with a binary security scanner
Versions
You can get this information from executing ipy -V.
2.7.12
Not exactly sure what makes you think IronPython is using libexpat?
| Component | Version | Latest version | CVE | Matching type | CVSS | CVE publication date | Object compilation date | Object | Object full path | Object SHA1 | CVSS3 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| expat | 2.5.0 | CVE-2022-25315 | Exact match (timestamp) | 7.5 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 9.8 | |
| expat | 2.5.0 | CVE-2022-25315 | Exact match (timestamp) | 7.5 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 9.8 | |
| expat | 2.5.0 | CVE-2022-25315 | Exact match (timestamp) | 7.5 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 9.8 | |
| expat | 2.5.0 | CVE-2022-25236 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 9.8 | |
| expat | 2.5.0 | CVE-2022-25236 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 9.8 | |
| expat | 2.5.0 | CVE-2022-25236 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 9.8 | |
| expat | 2.5.0 | CVE-2022-25235 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 9.8 | |
| expat | 2.5.0 | CVE-2022-25235 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 9.8 | |
| expat | 2.5.0 | CVE-2022-25235 | Exact match (timestamp) | 7.5 | 2022-02-16T01:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 9.8 | |
| expat | 2.5.0 | CVE-2022-23852 | Exact match (timestamp) | 7.5 | 2022-01-24T02:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 9.8 | |
| expat | 2.5.0 | CVE-2022-23852 | Exact match (timestamp) | 7.5 | 2022-01-24T02:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 9.8 | |
| expat | 2.5.0 | CVE-2022-23852 | Exact match (timestamp) | 7.5 | 2022-01-24T02:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 9.8 | |
| expat | 2.5.0 | CVE-2022-25314 | Exact match (timestamp) | 5.0 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 7.5 | |
| expat | 2.5.0 | CVE-2022-25314 | Exact match (timestamp) | 5.0 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 7.5 | |
| expat | 2.5.0 | CVE-2022-25314 | Exact match (timestamp) | 5.0 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 7.5 | |
| expat | 2.5.0 | CVE-2022-23990 | Exact match (timestamp) | 5.0 | 2022-01-26T19:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 7.5 | |
| expat | 2.5.0 | CVE-2022-23990 | Exact match (timestamp) | 5.0 | 2022-01-26T19:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 7.5 | |
| expat | 2.5.0 | CVE-2022-23990 | Exact match (timestamp) | 5.0 | 2022-01-26T19:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 7.5 | |
| expat | 2.5.0 | CVE-2022-25313 | Exact match (timestamp) | 4.3 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 6.5 | |
| expat | 2.5.0 | CVE-2022-25313 | Exact match (timestamp) | 4.3 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 6.5 | |
| expat | 2.5.0 | CVE-2022-25313 | Exact match (timestamp) | 4.3 | 2022-02-18T05:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 6.5 | |
| expat | 2.5.0 | CVE-2022-40674 | Exact match (timestamp) | 0.0 | 2022-09-14T11:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 8.1 | |
| expat | 2.5.0 | CVE-2022-40674 | Exact match (timestamp) | 0.0 | 2022-09-14T11:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 8.1 | |
| expat | 2.5.0 | CVE-2022-40674 | Exact match (timestamp) | 0.0 | 2022-09-14T11:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 8.1 | |
| expat | 2.5.0 | CVE-2022-43680 | Exact match (timestamp) | 0.0 | 2022-10-24T14:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:net45/IronPython.Modules.dll | 5614cdf8b402a0007ade8a1f7b65c7d6f4855f9c | 7.5 | |
| expat | 2.5.0 | CVE-2022-43680 | Exact match (timestamp) | 0.0 | 2022-10-24T14:15:00Z | 2022-01-17T16:00:22Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netcoreapp3.1/IronPython.Modules.dll | 8b425859537f619a292a2edbb116315378ea715a | 7.5 | |
| expat | 2.5.0 | CVE-2022-43680 | Exact match (timestamp) | 0.0 | 2022-10-24T14:15:00Z | 2022-01-17T16:00:24Z | IronPython.Modules.dll | IronPython.2.7.12.zip:netstandard2.0/IronPython.Modules.dll | c8d0f5f642df366aa40ae436e9ec19337d4bb409 | 7.5 |
these are the other vulnerabilities that were found, but there were medium at the highest
| Component | Version | Latest version | CVE | Matching type | CVSS | CVE publication date | Object compilation date | Object | Object full path | Object SHA1 | CVSS3 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| pip | 19.2.3 | 22.2.2 | CVE-2021-3572 | Exact match | 3.5 | 2021-11-10T18:15:00Z | 2019-08-25T04:32:58Z | main.py | IronPython.2.7.12.zip:Lib/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl:pip/main.py | 59f1a3e0a6f87077a4d6e52c18c31c327960bc65 | 5.7 |
| setuptools | 41.2.0 | 63.4.2 | CVE-2022-40897 | Exact match | 0.0 | 2022-12-23T00:15:00Z | 2020-05-28T09:28:44Z | init.py | IronPython.2.7.12.zip:Lib/ensurepip/_bundled/setuptools-41.2.0-py2.py3-none-any.whl:setuptools/init.py | f8069d6b9220b9c79011cfcbc6f90253eb67ac4d | 5.9 |
| urllib3 | 1.25.3 | 1.26.11 | CVE-2020-7212 | Exact match | 7.8 | 2020-03-06T20:15:00Z | 2019-07-30T12:02:16Z | init.py | IronPython.2.7.12.zip:Lib/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl:pip/_vendor/urllib3/init.py | 1f751cd465f42fd0f67f5db14fb43bf25ebc1142 | 7.5 |
| urllib3 | 1.25.3 | 1.26.11 | CVE-2020-26137 | Exact match | 6.4 | 2020-09-30T18:15:00Z | 2019-07-30T12:02:16Z | init.py | IronPython.2.7.12.zip:Lib/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl:pip/_vendor/urllib3/init.py | 1f751cd465f42fd0f67f5db14fb43bf25ebc1142 | 6.5 |
| urllib3 | 1.25.3 | 1.26.11 | CVE-2021-33503 | Exact match | 5.0 | 2021-06-29T11:15:00Z | 2019-07-30T12:02:16Z | init.py | IronPython.2.7.12.zip:Lib/ensurepip/_bundled/pip-19.2.3-py2.py3-none-any.whl:pip/_vendor/urllib3/init.py | 1f751cd465f42fd0f67f5db14fb43bf25ebc1142 | 7.5 |
Right, the word expat appears in the code but IronPython doesn't use libexpat...
From the documentation https://libexpat.github.io/doc/api/latest/:
Expat is a library, written in C, for parsing XML documents. It's the underlying XML parser for the open source Mozilla project, Perl's XML::Parser, Python's xml.parsers.expat, and other open-source XML parsers.
This library is the creation of James Clark
Looking here, it seems to be the same lib: https://github.com/IronLanguages/ironpython2/blob/145200837ecb83536d8b7b9588e77f28fc6ead65/Src/StdLib/Lib/xml/parsers/__init__.py
IronPython does not use the same underlying implementation as CPython.