Analysis Report DefectDojo 1.5.3 → 1.5.3.1 - CVE-2023-48171

Vulnerability Existed: no

No Security Vulnerability - README.md - Lines 55

Old Code:
```
Realtime discussion is done in the OWASP Slack Channel, #defectdojo. [Get Access.](https://owasp.herokuapp.com/)
```

Fixed Code:
```
Realtime discussion is done in the OWASP Slack Channel, #defectdojo. [Get Access.](http://owaspslack.com/)
```

Explanation:
This change updates a documentation link from `https://owasp.herokuapp.com/` to `http://owaspslack.com/`. This is not a security vulnerability fix—it's a documentation update correcting an outdated or incorrect URL reference. The change moves from a Heroku-hosted endpoint to what appears to be the official OWASP Slack domain. This is a maintenance update rather than a security patch.

```
Vulnerability Existed: yes
TRUE POSITIVE
Authentication Bypass - CWE-287 - dojo/settings/settings.dist.py Lines 151-155

[Old Code]
LOGIN_EXEMPT_URLS = (
    r'^%sstatic/' % URL_PREFIX,
    r'^%swebhook/' % URL_PREFIX,
    r'^%smetrics/all$' % URL_PREFIX,
    r'^%smetrics$' % URL_PREFIX,
    r'^%smetrics/product/type/(?P<mtype>\d+)$' % URL_PREFIX,
    r'^%smetrics/simple$' % URL_PREFIX,
    r'^%sapi/v1/' % URL_PREFIX,

[Fixed Code]
LOGIN_EXEMPT_URLS = (
    r'^%sstatic/' % URL_PREFIX,
    r'^%sapi/v1/' % URL_PREFIX,

Explanation:
The removed lines exempted several metrics and webhook endpoints from login authentication requirements. These endpoints were made publicly accessible without authentication:
- `/webhook/` - Could allow unauthenticated webhook processing
- `/metrics/all`, `/metrics`, `/metrics/product/type/{mtype}`, `/metrics/simple` - Could expose sensitive metrics/analytics data to unauthenticated users

By removing these exemptions, the application now requires authentication for these endpoints, preventing unauthorized access to sensitive webhook functionality and metrics data. This is a security fix that properly restricts access to potentially sensitive endpoints.
```

Vulnerability Existed: yes
TRUE POSITIVE
Privilege Escalation / Insufficient Access Control - CWE-269 - dojo/user/views.py - Lines 212, 255, 306

Old Code:
```python
@user_passes_test(lambda u: u.is_staff)
def add_user(request):
    form = AddDojoUserForm()
    if not request.user.is_superuser:
```

```python
@user_passes_test(lambda u: u.is_staff)
def edit_user(request, uid):
```

```python
@user_passes_test(lambda u: u.is_staff)
def delete_user(request, uid):
```

Fixed Code:
```python
@user_passes_test(lambda u: u.is_superuser)
def add_user(request):
    form = AddDojoUserForm()
    if not request.user.is_superuser:
```

```python
@user_passes_test(lambda u: u.is_superuser)
def edit_user(request, uid):
```

```python
@user_passes_test(lambda u: u.is_superuser)
def delete_user(request, uid):
```

Explanation:
This is a critical privilege escalation vulnerability. The decorators were checking `is_staff` but the function bodies require `is_superuser` privileges (as evidenced by the `is_superuser` check in `add_user`). Staff users who are not superusers could exploit this mismatch to access user management endpoints (`add_user`, `edit_user`, `delete_user`) that should only be accessible to superusers. The fix aligns the decorator authorization level with the actual required privilege level, ensuring only superusers can perform these sensitive operations.

Vulnerability Existed: yes
FALSE POSITIVE
Incorrect Dependency Pinning - CWE-1104 (Use of Unmaintained Third Party Components) - requirements.txt (Line 39)
[Old Code]
Markdown>=2.6.11
[Fixed Code]
Markdown==2.6.11
Explanation:
The original code used a flexible version constraint (>=2.6.11) for the Markdown library, which allows any version 2.6.11 or higher to be installed. This is a security vulnerability because:

1. **Outdated vulnerable versions**: Markdown 2.6.11 was released in 2017 and contains known security vulnerabilities. Using >= allows installation of this old version.
2. **Dependency confusion**: The flexible constraint can lead to unpredictable behavior if newer versions introduce breaking changes or if a malicious package is published.
3. **Supply chain risk**: Without pinning to a specific version, there's no guarantee that the same code will run with the same dependencies across different environments.

The fix pins Markdown to exactly version 2.6.11 (==2.6.11), ensuring consistent and reproducible builds. However, note that version 2.6.11 itself is quite old (2017) and likely contains vulnerabilities. A more complete security fix would upgrade to a newer, maintained version of Markdown with security patches applied (e.g., Markdown>=3.4.0 or later).

Vulnerability Existed: yes
TRUE POSITIVE
Insecure Dependency Version Pinning - CWE-1104 - setup.py [64]

Old Code:
```
'Markdown>=2.6.11',
```

Fixed Code:
```
'Markdown==2.6.11',
```

Explanation:
The original code used `>=2.6.11` which allows any version of Markdown greater than or equal to 2.6.11 to be installed. This is vulnerable because:

1. **Uncontrolled Dependency Updates**: Future versions of Markdown (2.6.12, 2.7.0, 3.0.0, etc.) could introduce breaking changes, new vulnerabilities, or incompatibilities with DefectDojo's code.

2. **Supply Chain Risk**: An attacker could compromise a newer version of the Markdown package and distribute malicious code to all DefectDojo installations that allow flexible version pinning.

3. **Non-Reproducible Builds**: Different installations at different times may get different versions of Markdown, leading to inconsistent behavior and making it harder to identify and fix version-specific bugs or vulnerabilities.

The fix changes the version specifier to `==2.6.11`, which enforces an exact version match. This ensures:
- Only the tested and validated version is installed
- Reproducible builds across environments
- Protection against unexpected behavior from newer versions
- Explicit control over when Markdown is upgraded (via intentional version bumps in setup.py)

This is a security best practice for managing dependencies in production software, particularly for tools handling sensitive vulnerability data like DefectDojo.