Publish Advisories

GHSA-v62p-cjv8-35xh GHSA-5r4x-qc7q-vj27 GHSA-hm8g-jxjj-gfm3 GHSA-9g6g-xqv5-8g5w GHSA-49cc-xrjf-9qf7
github · Nov 21, 2024 · 10b01e7 · 10b01e7
1 parent 24d0766
commit 10b01e7
Show file tree

Hide file tree

Showing 5 changed files with 202 additions and 32 deletions.
diff --git a/...A-v62p-cjv8-35xh/GHSA-v62p-cjv8-35xh.json → ...A-v62p-cjv8-35xh/GHSA-v62p-cjv8-35xh.json b/...A-v62p-cjv8-35xh/GHSA-v62p-cjv8-35xh.json → ...A-v62p-cjv8-35xh/GHSA-v62p-cjv8-35xh.json
@@ -1,23 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v62p-cjv8-35xh",
-  "modified": "2022-04-23T00:40:09Z",
+  "modified": "2024-11-21T23:19:17Z",
   "published": "2022-04-23T00:40:09Z",
   "aliases": [
     "CVE-2012-0051"
   ],
+  "summary": "Tahoe-LAFS fails to ensure integrity",
   "details": "Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers to corrupt mutable files or directories upon retrieval.",
   "severity": [
 
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "tahoe-lafs"
+      },
+      "versions": [
+        "1.9.0"
+      ]
+    }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0051"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tahoe-lafs/PYSEC-2019-253.yaml"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/tahoe-lafs/tahoe-lafs"
+    },
     {
       "type": "WEB",
       "url": "https://security-tracker.debian.org/tracker/CVE-2012-0051"
@@ -48,8 +65,8 @@
 
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-21T23:19:17Z",
     "nvd_published_at": "2019-11-07T18:15:00Z"
   }
 }
diff --git a/...A-5r4x-qc7q-vj27/GHSA-5r4x-qc7q-vj27.json → ...A-5r4x-qc7q-vj27/GHSA-5r4x-qc7q-vj27.json b/...A-5r4x-qc7q-vj27/GHSA-5r4x-qc7q-vj27.json → ...A-5r4x-qc7q-vj27/GHSA-5r4x-qc7q-vj27.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5r4x-qc7q-vj27",
-  "modified": "2022-05-02T04:01:39Z",
+  "modified": "2024-11-21T23:19:39Z",
   "published": "2022-05-02T04:01:39Z",
   "aliases": [
     "CVE-2009-5145"
   ],
+  "summary": "Zope Cross-site scripting (XSS) vulnerability in ZMI pages",
   "details": "Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "Zope2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.12.5"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -31,28 +50,32 @@
     },
     {
       "type": "WEB",
-      "url": "https://security-tracker.debian.org/tracker/CVE-2009-5145"
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2017-148.yaml"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zopefoundation/Zope"
     },
     {
       "type": "WEB",
-      "url": "http://cve.killedkenny.io/cve/CVE-2009-5145"
+      "url": "https://security-tracker.debian.org/tracker/CVE-2009-5145"
     },
     {
       "type": "WEB",
-      "url": "http://www.openwall.com/lists/oss-security/2015/03/02/7"
+      "url": "http://cve.killedkenny.io/cve/CVE-2009-5145"
     },
     {
       "type": "WEB",
-      "url": "http://www.securityfocus.com/bid/72792/info"
+      "url": "http://www.openwall.com/lists/oss-security/2015/03/02/7"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-21T23:19:39Z",
     "nvd_published_at": "2017-08-07T17:29:00Z"
   }
 }
diff --git a/...A-hm8g-jxjj-gfm3/GHSA-hm8g-jxjj-gfm3.json → ...A-hm8g-jxjj-gfm3/GHSA-hm8g-jxjj-gfm3.json b/...A-hm8g-jxjj-gfm3/GHSA-hm8g-jxjj-gfm3.json → ...A-hm8g-jxjj-gfm3/GHSA-hm8g-jxjj-gfm3.json
@@ -1,17 +1,55 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hm8g-jxjj-gfm3",
-  "modified": "2022-05-01T07:20:57Z",
+  "modified": "2024-11-21T23:19:22Z",
   "published": "2022-05-01T07:20:57Z",
   "aliases": [
     "CVE-2006-4684"
   ],
+  "summary": "Zope allows remote attackers to read arbitrary files",
   "details": "The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458.",
   "severity": [
 
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "zope2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.7.0"
+            },
+            {
+              "last_affected": "2.7.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "zope2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.8.0"
+            },
+            {
+              "fixed": "2.8.9"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -20,28 +58,20 @@
     },
     {
       "type": "WEB",
-      "url": "http://mail.zope.org/pipermail/zope-announce/2006-August/002005.html"
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2006-8.yaml"
     },
     {
-      "type": "WEB",
-      "url": "http://secunia.com/advisories/21947"
+      "type": "PACKAGE",
+      "url": "https://github.com/zopefoundation/Zope"
     },
     {
       "type": "WEB",
-      "url": "http://secunia.com/advisories/21953"
+      "url": "http://mail.zope.org/pipermail/zope-announce/2006-August/002005.html"
     },
     {
       "type": "WEB",
       "url": "http://www.debian.org/security/2006/dsa-1176"
     },
-    {
-      "type": "WEB",
-      "url": "http://www.securityfocus.com/bid/20022"
-    },
-    {
-      "type": "WEB",
-      "url": "http://www.vupen.com/english/advisories/2006/3653"
-    },
     {
       "type": "WEB",
       "url": "http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt"
@@ -52,8 +82,8 @@
 
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-21T23:19:22Z",
     "nvd_published_at": "2006-09-19T18:07:00Z"
   }
 }
diff --git a/...A-9g6g-xqv5-8g5w/GHSA-9g6g-xqv5-8g5w.json → ...A-9g6g-xqv5-8g5w/GHSA-9g6g-xqv5-8g5w.json b/...A-9g6g-xqv5-8g5w/GHSA-9g6g-xqv5-8g5w.json → ...A-9g6g-xqv5-8g5w/GHSA-9g6g-xqv5-8g5w.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9g6g-xqv5-8g5w",
-  "modified": "2024-11-21T21:33:30Z",
+  "modified": "2024-11-21T23:19:51Z",
   "published": "2024-06-25T21:31:15Z",
   "aliases": [
     "CVE-2024-37820"
   ],
+  "summary": "PingCAP TiDB nil pointer dereference",
   "details": "A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/pingcap/tidb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.2.0"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -25,18 +44,26 @@
       "type": "WEB",
       "url": "https://github.com/pingcap/tidb/issues/53580"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pingcap/tidb/commit/3d68bd21240c610c6307713e2bd54a5e71c32608"
+    },
     {
       "type": "WEB",
       "url": "https://gist.github.com/ycybfhb/a9c1e14ce281f2f553adca84d384b761"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pingcap/tidb"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-476"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-21T23:19:51Z",
     "nvd_published_at": "2024-06-25T19:15:11Z"
   }
 }
diff --git a/advisories/github-reviewed/2024/11/GHSA-49cc-xrjf-9qf7/GHSA-49cc-xrjf-9qf7.json b/advisories/github-reviewed/2024/11/GHSA-49cc-xrjf-9qf7/GHSA-49cc-xrjf-9qf7.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-49cc-xrjf-9qf7",
+  "modified": "2024-11-21T23:19:07Z",
+  "published": "2024-11-21T23:19:07Z",
+  "aliases": [
+    "CVE-2024-52309"
+  ],
+  "summary": "SFTPGo allows administrators to restrict command execution from the EventManager",
+  "details": "### Impact\n\nOne powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events.\nThis feature is very common in all software similar to SFTPGo and is generally unrestricted. \n\nHowever, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo.\n\nThis is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI.\n\n### Patches\n\nTo avoid this confusion, running system commands is now disabled by default, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI.\n\nhttps://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb\nhttps://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4\n\n### Workarounds\n\nAllow EventManager to be used only by SFTPGo administrators who also have shell access.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/drakkan/sftpgo/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.4.0"
+            },
+            {
+              "fixed": "2.6.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52309"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/drakkan/sftpgo"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2024-3283"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-21T23:19:07Z",
+    "nvd_published_at": null
+  }
+}