Github considers bootstrap 3.4.0 as insecure

[GeyseR]

Github considers Bootstrap 3.4.0 an insecure dependency via its security vulnerability alerts tool. It points to the NVD CVE-2018-14041 page, which shows that only >4.1.2 is secure. Is 3.4.0 safe to use as it has a fix for the npm:bootstrap:20160627 vulnerability or it is something different?

A screenshot from one of our private projects:

[XhmikosR]

I guess someone should submit info that this was also fixed in 3.4.0.

[bardiharborow]

I've sent this off to NIST, who I believe is the responsible party for vulnerable version information:

I'm writing to inform you that the fix for CVE-2018-14041 has been cherry-picked into the Bootstrap v3.4.0 release. The vulnerable versions are now represented by (x < 3.4.0 || 4.0.0-alpha <= x < 4.1.2). You may verify my identity against <https://github.com/orgs/twbs/people> and the fix against <https://github.com/twbs/bootstrap/releases/tag/v3.4.0> and <#27047>. This is my first interaction with your registry, so my apologies if this enquiry is misplaced. Thank you for your time.

[XhmikosR]

Thanks @bardiharborow, let us know how it goes.

[Mx-Glitter]

It seems to be fixed on their end: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#p_lt_WebPartZone1_zoneCenter_pageplaceholder_p_lt_WebPartZone1_zoneCenter_VulnerabilityDetail_VulnFormView_VulnChangeHistoryDiv

[XhmikosR]

Does GitHub still warn about this?

[bardiharborow]

NIST got back to me 9 hours ago with:

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After review of the CVEs, the information provided, and the configurations we have made the appropriate modifications. Please allow up to 24 hours for these changes to populate on the website and in the data feeds.

@XhmikosR, do you know why https://snyk.io/vuln/npm:bootstrap:20160627 says < 4.0.0-beta.2 whereas NIST says < 4.1.2? I can see that #23679 was merged in 4.0.0-beta.2, so I'm not sure where NIST got 4.1.2 from...

[XhmikosR]

@bardiharborow: nope. I don't know where they get the info from. One of the two is wrong :P

[xhocquet]

Hey there, hoping to get an additional update added here.

A member of the Debian LTS team checked out earlier versions of bootstrap (one of which we are using) and declared it did not contain the vulnerability: #26627 (comment)

Compare that to the current vulnerability entry: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#VulnChangeHistorySection

Specifically, my company is still using 3.3.7 and is not prepared to upgrade. Github's vulnerability tracker uses this database to notify us that our project is insecure, however based on what I've seen that is not the case.

If a member of the team could confirm the statement by the Debian team member, as well as contact cpe_dictionary@nist.gov regarding any updates, I'm sure many developers would appreciate removing a warning from their Github repos and other security auditing tools using this database.