Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b75f168733a9 · 2024-11-18T23:49:13.000Z
GHSA-g85v-wf27-67xc GHSA-hw9x-8m75-4vjq GHSA-xcpr-7mr4-h4xq GHSA-xcpr-7mr4-h4xq
diff --git a/advisories/github-reviewed/2024/11/GHSA-g85v-wf27-67xc/GHSA-g85v-wf27-67xc.json b/advisories/github-reviewed/2024/11/GHSA-g85v-wf27-67xc/GHSA-g85v-wf27-67xc.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g85v-wf27-67xc",
+  "modified": "2024-11-18T23:48:26Z",
+  "published": "2024-11-18T23:48:26Z",
+  "aliases": [
+    "CVE-2024-52587"
+  ],
+  "summary": "Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`",
+  "details": "### Summary\n\nVersions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. \n\n### Details\n\n1. setup.ts:169 [1]  performs `execSync` with a command that gets\ninvoked after interpretation by the shell. This command includes an\ninterpolated `process.env.USER` variable, which an attacker could\nmodify (without actually creating a new user) to inject arbitrary\nshell expressions into this `execSync`. This may or may not be likely\nin practice, but I believe the hygienic way to perform the underlying\noperation is to use `execFileSync` or similar and bypass the\nunderlying shell evaluation.\n\n2. setup.ts:229 [2] has a nearly identical `execSync` to (1) above,\nbut with `$USER` for shell-level interpolation rather than string\ninterpolation. However, this is still injectable and would be best\nreplaced by an `execFileSync`, per above.\n\n3. arc-runner:40-44 [3] has an `execSync` with multiple string\ninterpolations. Most of these do not appear immediately injectible\n(since they appear to come from presumed trusted API responses), but\nthe expansion of `getRunnerTempDir()` may be injectable due to its\ndependence on potentially attacker-controllable environment variables\n(e.g. `RUNNER_TEMP`). The underlying operation appears to be a trivial\nfile copy, so this entire subprocess should in theory be replaceable\nwith ordinary NodeJS `fs` API calls instead.\n\n4. arc-runner:53 [4] demonstrates the same weakness, and has the same\nresolution as (3).\n\n5. arc-runner:57 demonstrates the same weakness as (3) and (4), and\nhas the same resolution.\n\n6. arc-runner:61 demonstrates the same weakness as (3), (4), and (5),\nand has the same resolution.\n\n\n[1]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169\n\n[2]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229\n\n[3]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44\n\n[4]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53\n\n[5]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57\n\n[6]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61",
+  "severity": [
+
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "GitHub Actions",
+        "name": "step-security/harden-runner"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.10.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/step-security/harden-runner"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-18T23:48:26Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2024/11/GHSA-hw9x-8m75-4vjq/GHSA-hw9x-8m75-4vjq.json b/advisories/github-reviewed/2024/11/GHSA-hw9x-8m75-4vjq/GHSA-hw9x-8m75-4vjq.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hw9x-8m75-4vjq",
-  "modified": "2024-11-18T18:30:48Z",
+  "modified": "2024-11-18T23:48:11Z",
   "published": "2024-11-12T21:30:55Z",
   "aliases": [
     "CVE-2024-51093"
   ],
+  "summary": "Cross Site Scripting vulnerability in Snipe-IT",
   "details": "Cross Site Scripting vulnerability in Snipe-IT v.7.0.13 allows a remote attacker to escalate privileges via an unknown part of the file /users/{{user-id}}/#files.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "snipe/snipe-it"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "7.0.13"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -24,15 +43,19 @@
     {
       "type": "WEB",
       "url": "https://gist.githubusercontent.com/Tommywarren/ca70f1c43f4ec34dc19cd13459535780/raw/d13192ae50bc7c024b922412dfa3f530faa8d5db/CVE-2024-51093"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/snipe/snipe-it"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-18T23:48:11Z",
     "nvd_published_at": "2024-11-12T21:15:14Z"
   }
 }
diff --git a/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json b/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
@@ -0,0 +1,114 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xcpr-7mr4-h4xq",
+  "modified": "2024-11-18T23:48:03Z",
+  "published": "2024-11-18T12:30:43Z",
+  "aliases": [
+    "CVE-2024-52316"
+  ],
+  "summary": "Apache Tomcat - Authentication Bypass",
+  "details": "Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.0.96"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.1.0-M1"
+            },
+            {
+              "fixed": "10.1.30"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-catalina"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0-M1"
+            },
+            {
+              "fixed": "11.0.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.0.0-M26"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52316"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/6d097a66746635df6880fe7662a792156b0eca14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/7532f9dc4a8c37ec958f79dc82c4924a6c539223"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/acc2f01395f895980f5d8a64573fcc1bade13369"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/tomcat"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-391"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-11-18T23:48:03Z",
+    "nvd_published_at": "2024-11-18T12:15:18Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json b/advisories/unreviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
