Fix 3 detected vulnerabilities

[vicentebolea]

OSSF scan found 3 existing vulnerabilities. Need to check the detailed reports and fix based on severity.

Likely involves updating dependencies or addressing flagged code patterns.

Reference: https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities

[eisenhauer]

Is there a link to these detailed reports?

[vicentebolea]

Is there a link to these detailed reports?

The report is here: https://github.com/sbelsk/ADIOS2-scorecard/actions/runs/18666278324/artifacts/4321998168

I opened a meta-issue here #4675

[eisenhauer]

I was hoping for detail on the "3 existing vulnerabilities".

[vicentebolea]

I will post them here shortly, we need to integrate another tool to see the results of that specific test

[vicentebolea]

Scorecard detailed results for Vulnerabilities (7/10):

Warn: Project is vulnerable to: GHSA-6p56-wp2h-9hxr
Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm
Warn: Project is vulnerable to: PYSEC-2021-856

Detailed Analysis of Detected Vulnerabilities

1. GHSA-6p56-wp2h-9hxr (CVE-2021-33430)

Vulnerability: NumPy Buffer Overflow
Severity: Moderate (CVSS 6.0)
Affected: NumPy 1.9.0 through 1.20.x
Patched in: NumPy 1.21+

The vulnerability exists in PyArray_NewFromDescr_int when handling arrays with over 32 dimensions. However, the NumPy developers dispute the practical severity, noting that:

• Exploitation requires unusual API usage with complex structured data types
• A user capable of triggering this would already have privileges to cause DoS through memory exhaustion
• The exploit probability is very low (0.189%)

ADIOS2 Assessment Needed:

• Verify which NumPy versions are used in development/testing environments
• Review if ADIOS2's Python bindings create arrays with structured dtypes that could approach 32 dimensions
• Determine if upgrading to NumPy >= 1.21 is feasible for all supported Python environments

Given the disputed status and low exploit probability, this appears to be low risk for ADIOS2, but dependency versions should be documented.

2. GHSA-fpfv-jqm9-f5jm (CVE-2021-34141)

Vulnerability: Incorrect Comparison in NumPy
Severity: Moderate (CVSS 5.3)
Affected: NumPy < 1.22
Patched in: NumPy 1.22+

The vulnerability involves incomplete string comparison in numpy.core that allows attackers to cause API failures by crafting malicious string objects.

Impact:

• Network-based attack vector, no authentication required
• Low availability impact only (no confidentiality/integrity risk)
• EPSS score of 0.065% indicates minimal exploitation likelihood

ADIOS2 Assessment Needed:

• Check if ADIOS2's Python API accepts user-provided strings that are passed to NumPy functions
• Review if any network-facing components use NumPy string operations
• Consider upgrading to NumPy >= 1.22 where feasible

This appears to be low risk unless ADIOS2 processes untrusted string input through NumPy APIs.

3. PYSEC-2021-856 (CVE-2021-41495)

Vulnerability: NumPy Null Pointer Dereference
Severity: Not specified (DoS capable)
Affected: NumPy < 1.19.1
Patched in: NumPy 1.19.1+
Also tracked as: GHSA-5545-2q6w-2gh6

The vulnerability exists in the PyArray_DescrNew function due to missing return-value validation. Attackers can trigger DoS by repetitively creating sort arrays.

ADIOS2 Assessment Needed:

• Verify minimum NumPy version requirements in ADIOS2 Python bindings
• Check if ADIOS2 code paths involve sorting operations that could be exploited
• Review whether users can trigger repeated array sort operations through the Python API
• Update dependency requirements to enforce NumPy >= 1.19.1 if not already required

This is the oldest of the three vulnerabilities (fixed in 1.19.1 vs 1.21/1.22 for the others) and should be straightforward to address through minimum version requirements.

Summary

All three vulnerabilities are in NumPy (dependency) rather than ADIOS2 code. Recommended actions:

1. Document current NumPy version requirements
2. Consider setting minimum NumPy version to 1.22+ (addresses all three)
3. Assess actual risk based on ADIOS2's usage patterns
4. Update documentation if minimum versions need to be increased