cancel
Showing results for 
Search instead for 
Did you mean: 

Find patches to check Security Scanner false positives

Find patches to check Security Scanner false positives

For version 2.3.2 the Magento Security Scanner finds a number of presumed false positives.

(Because these patches are supposed to be included in Magento 2.3)

Where can I find the actual patches that are reported to be missing to compare them with the production code?


API ACL - Failed.
API ACL Patch not detected (APPSEC-1378) - from Magento 2.0.4
API ACL Patch not detected (APPSEC-1408) - from Magento 2.0.6
API ACL Patch not detected (APPSEC-1679) - from Magento 2.1.7

XS Vulnerability - Failed.
Section Loading sanitation not detected (APPSEC-1539) - from Magento 2.1.2
XSS Patch not detected (APPSEC-1716) - from Magento 2.1.14

16 REPLIES 16

Re: Find patches to check Security Scanner false positives

Did you find the solution?

Re: Find patches to check Security Scanner false positives

As you can see, nobody  answered.

I already searched and  gave up finding a solution on my own before posting here.

Re: Find patches to check Security Scanner false positives

The empty POST request to yourdomain/rest/V1/carts/mine/balance/apply is expected to return 401(Unauthorized) response code, the 500 (Internal server error) is returned instead.

If the server will respond with 400, 403, 404 or 503 response code - the scan will finish with 'Unknown' status.

Open this in browser yourdomain/rest/V1/carts/mine/balance/apply which certainly given the error.

I am facing the same issue and trying to find out the solution, from the above post if anyone manages to get that fixed prior than me please post it here.

Hit the Kudos if it seems helpful

 

Thank You
Zuber

Re: Find patches to check Security Scanner false positives

Which one of the 5 patches are you refering to?

Where did you find this information?

Re: Find patches to check Security Scanner false positives

Which one of the 5 patches are you refering to? Zuber - What does this mean? I didn't mention anything about the patch. Sorry, but it's a little bit precarious.

 

Where did you find this information? Zuber - I submitted the same error to the magento support and one of them developer sent this to me.

Re: Find patches to check Security Scanner false positives

This is about 5 error messages for 5 "missing" patches.

Wich of them do you refer to?

 

  1. API ACL Patch not detected (APPSEC-1378) - from Magento 2.0.4
  2. API ACL Patch not detected (APPSEC-1408) - from Magento 2.0.6
  3. API ACL Patch not detected (APPSEC-1679) - from Magento 2.1.7
  4. Section Loading sanitation not detected (APPSEC-1539) - from Magento 2.1.2
  5. XSS Patch not detected (APPSEC-1716) - from Magento 2.1.14

 

The 5 scans did not seem to have returned with an "unknown" status but with a "failed" status.

 

(Sorry for the late answer. It seems this forum does not send me an email when a reply happens.)

Re: Find patches to check Security Scanner false positives

We also have this issue on 2.3.2 but only with the first 3 patches flagging as failed.

 

Did you find a solution to this problem?

Re: Find patches to check Security Scanner false positives

I'm just waiting for an answer here as there is nothing else I can do.

Re: Find patches to check Security Scanner false positives

Hello.

 

Forgive my ignorance if my answers aren't what you are looking for.

 

You asked "Where can I find the actual patches that are reported to be missing to compare them with the production code?"

 

The patches for different version of Magento can be found through this webpage: https://magento.com/security/patches

 

To find a specific patch such as for version 2.0.4 which you mentioned, type in the APPSEC-1378 "code" in your favorite search engine to get a direct url like this one: https://magento.com/security/patches/magento-2.0.4-security-update

then since you are using the Community Edition, scroll down to the Community Edition heading and proceed from there.

 

If I understood you correctly, this is what you are looking for.

 

One more thing before you proceed, I had a similar issue where the Magento Security Scanner showed that I was missing patches even though I also had version 2.3.2 installed.  I turned out that my Web Application Firewall (WAF) was blocking the Magento Security Scan from checking my website/domain, and therefore I also had false positives.  After I allowed the Security Scan IP addresses through my WAF, the patch failures went away.

 

I hope this helps, if not you then someone else.