akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
efa24fe8babde3e997ba22afbf46e240a69f25b3
Charon/docs/security/SECURITY-EXCEPTION-nebula-v1.9.7.md
GitHub Actions 2b2d907b0c fix: enhance notifications and validation features 
- Added URL validation for notification providers to ensure only valid http/https URLs are accepted.
- Implemented tests for URL validation scenarios in the Notifications component.
- Updated translations for error messages related to invalid URLs in multiple languages.
- Introduced new hooks for managing security headers and access lists in tests.
- Enhanced the ProviderForm component to reset state correctly when switching between add and edit modes.
- Improved user feedback with update indicators after saving changes to notification providers.
- Added mock implementations for new hooks in various test files to ensure consistent testing behavior.
2026-02-10 22:01:45 +00:00

64 lines
2.8 KiB
Markdown
Raw Blame History

# Security Exception: Nebula v1.9.7 (GHSA-69x3-g4r3-p962)
**Date:** 2026-02-10
**Status:** ACCEPTED RISK
**CVE:** GHSA-69x3-g4r3-p962
**Severity:** High
**Package:** github.com/slackhq/nebula@v1.9.7
**Fixed Version:** v1.10.3
## Decision
Accept the High severity vulnerability in nebula v1.9.7 as a documented known issue.
## Rationale
- Nebula is a transitive dependency via CrowdSec bouncer -> ipstore chain
- Upgrading to v1.10.3 breaks compilation:
- smallstep/certificates removed nebula APIs (NebulaCAPool, NewCAPoolFromBytes, etc.)
- ipstore missing GetAndDelete method compatibility
- No compatible upstream versions exist as of 2026-02-10
- Patching dependencies during build is high-risk and fragile
- High severity risk classification applies to vulnerabilities within our control
- This is an upstream dependency management issue beyond our immediate control
## Dependency Chain
- Caddy (xcaddy builder)
- github.com/hslatman/caddy-crowdsec-bouncer@v0.9.2
- github.com/hslatman/ipstore@v0.3.0
- github.com/slackhq/nebula@v1.9.7 (vulnerable)
## Exploitability Assessment
- Nebula is present in Docker image build artifacts
- Used by CrowdSec bouncer for IP address management
- Attack surface: [Requires further analysis - see monitoring plan]
## Monitoring Plan
Watch for upstream fixes in:
- github.com/hslatman/caddy-crowdsec-bouncer (primary)
- github.com/hslatman/ipstore (secondary)
- github.com/smallstep/certificates (nebula API compatibility)
- github.com/slackhq/nebula (direct upgrade if dependency chain updates)
Check quarterly (or when Dependabot/security scans alert):
- CrowdSec bouncer releases: https://github.com/hslatman/caddy-crowdsec-bouncer/releases
- ipstore releases: https://github.com/hslatman/ipstore/releases
- smallstep/certificates releases: https://github.com/smallstep/certificates/releases
## Remediation Trigger
Revisit and remediate when ANY of:
- caddy-crowdsec-bouncer releases version with nebula v1.10.3+ support
- smallstep/certificates releases version compatible with nebula v1.10.3
- ipstore releases version fixing GetAndDelete compatibility
- GHSA-69x3-g4r3-p962 severity escalates to CRITICAL
- Proof-of-concept exploit published targeting Charon's attack surface
## Alternative Mitigation (Future)
If upstream remains stalled:
- Consider removing CrowdSec bouncer plugin (loss of CrowdSec integration)
- Evaluate alternative IP blocking/rate limiting solutions
- Implement CrowdSec integration at reverse proxy layer instead of Caddy
## References
- CVE Details: https://github.com/advisories/GHSA-69x3-g4r3-p962
- Analysis Report: [docs/reports/nebula_upgrade_analysis.md](../reports/nebula_upgrade_analysis.md)
- Version Test Results: [docs/reports/nebula_upgrade_analysis.md](../reports/nebula_upgrade_analysis.md#6-version-compatibility-test-results)
Reference in New Issue View Git Blame Copy Permalink