Sec vuln found in Masa/Mura, fixed only in Masa for now

carehart · May 9, 2024, 12:48am

Here’s info on newly discovered sql injection vulns found in Masa and Mura, which (before being revealed publicly) have been fixed by the Masa team though not yet by the Mura team (after 90 days of the researcher attempting to reach them).

More here:

Despite the title, it’s not at all specific to Apple. It’s just that Apple is running Mura (or Masa–it’s not clear), and they are running it on Lucee. FWIW, it would seem the issue is not specific to Lucee, either.

But I will leave others to sort things out. I just wanted to bring it to the attention of folks here, as I got notified just now of this post.

If you’re running Masa, you’ll want to get the update that resolves the issue. If you’re running Mura, you’ll want to bring this to the attention of your Mura contacts to try to get resolution from them–or if you may have the Mura source, perhaps you can compare your code to what’s reported here and fixed by Masa.

Matt_Levine · May 13, 2024, 5:21pm

The issues in Mura were resolved via working with the Apple Infosec team. Not sure why they didn’t respond directly to the researcher though.

carehart · May 16, 2024, 11:33am

Good to hear, Matt. Thanks for the update. Sadly, the blog post above doesn’t except comments. Given that you you say “they” regarding Mura, I can’t tell if perhaps you’re no longer there. Are you perhaps in a position to get someone from Mura to reach out to them so they could update that post?

As always, just trying to help.