-
Notifications
You must be signed in to change notification settings - Fork 343
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GHSA-22c5-cpvr-cfvq GHSA-25w9-wqfq-gwqx GHSA-2r87-74cx-2p7c GHSA-4pjc-pwgq-q9jp GHSA-75mx-hw5q-pvx3 GHSA-7prj-hgx4-2xc3 GHSA-cxrx-q234-m22m GHSA-fqj6-whhx-47p7 GHSA-ghw8-3xqw-hhcj GHSA-r279-47wg-chpr GHSA-xx68-37v4-4596 GHSA-75mx-hw5q-pvx3 GHSA-cxrx-q234-m22m GHSA-ghw8-3xqw-hhcj
- Loading branch information
1 parent
1c81bb6
commit 1406fd4
Showing
14 changed files
with
569 additions
and
149 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
103 changes: 103 additions & 0 deletions
103
advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-2r87-74cx-2p7c", | ||
| "modified": "2024-12-12T19:21:06Z", | ||
| "published": "2024-12-12T19:21:06Z", | ||
| "aliases": [ | ||
| "CVE-2024-55877" | ||
| ], | ||
| "summary": "XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList", | ||
| "details": "### Impact\nAny user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set \"Macro Id\", \"Macro Name\" and \"Macro Code\" to any value, \"Macro Visibility\" to `Current User` and \"Macro Description\" to `{{async}}{{groovy}}println(\"Hello from User macro!\"){{/groovy}}{{/async}}`.\nSave the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`.\nIf the description of your new macro reads \"Hello from User macro!\", then your instance is vulnerable.\n\n### Patches\nThis vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0.\n\n### Workarounds\nIt is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22030\n* https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.xwiki.platform:xwiki-platform-help-ui" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "9.7-rc-1" | ||
| }, | ||
| { | ||
| "fixed": "15.10.11" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.xwiki.platform:xwiki-platform-help-ui" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "16.0.0-rc-1" | ||
| }, | ||
| { | ||
| "fixed": "16.4.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.xwiki.platform:xwiki-platform-help-ui" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "16.5.0-rc-1" | ||
| }, | ||
| { | ||
| "fixed": "16.5.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/xwiki/xwiki-platform" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://jira.xwiki.org/browse/XWIKI-22030" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-96" | ||
| ], | ||
| "severity": "CRITICAL", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-12T19:21:06Z", | ||
| "nvd_published_at": null | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
advisories/github-reviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-75mx-hw5q-pvx3", | ||
| "modified": "2024-12-12T19:19:33Z", | ||
| "published": "2024-12-12T03:33:05Z", | ||
| "aliases": [ | ||
| "CVE-2024-55587" | ||
| ], | ||
| "summary": "python-libarchive directory traversal", | ||
| "details": "python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "PyPI", | ||
| "name": "python-libarchive" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "last_affected": "4.2.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55587" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/smartfile/python-libarchive/issues/42" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/smartfile/python-libarchive/pull/41" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/smartfile/python-libarchive" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/smartfile/python-libarchive/blob/c7677411bfc4ab5701d343bc6ebd9e35c990e80e/libarchive/zip.py#L107" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-22" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-12T19:19:33Z", | ||
| "nvd_published_at": "2024-12-12T02:08:22Z" | ||
| } | ||
| } |
55 changes: 55 additions & 0 deletions
55
advisories/github-reviewed/2024/12/GHSA-7prj-hgx4-2xc3/GHSA-7prj-hgx4-2xc3.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-7prj-hgx4-2xc3", | ||
| "modified": "2024-12-12T19:20:26Z", | ||
| "published": "2024-12-12T19:20:26Z", | ||
| "aliases": [], | ||
| "summary": "Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy", | ||
| "details": "A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.\n\nImpact:\nThe specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.\n\nResolution:\nThe issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.\n\nFixed Version:\n* `golang.org/x/crypto` upgraded to version 0.31.0.", | ||
| "severity": [], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Go", | ||
| "name": "github.com/ryanbekhen/nanoproxy" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "0.15.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/ryanbekhen/nanoproxy/security/advisories/GHSA-7prj-hgx4-2xc3" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/ryanbekhen/nanoproxy" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-1395", | ||
| "CWE-285" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-12T19:20:26Z", | ||
| "nvd_published_at": null | ||
| } | ||
| } |
Oops, something went wrong.