CWE-706
Use of Incorrectly-Resolved Name or Reference
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
CVE-2023-28628 (GCVE-0-2023-28628)
Vulnerability from cvelistv5 – Published: 2023-03-27 20:20 – Updated: 2025-02-19 15:21
VLAI
Title
`authority-regex` returns the wrong authority in lambdaisland/uri
Summary
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.4 (Medium)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/lambdaisland/uri/security/advi… | x_refsource_CONFIRM |
| https://github.com/lambdaisland/uri/commit/f46db3… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| lambdaisland | uri |
Affected:
< 1.14.120
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"
},
{
"name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28628",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:20:56.651241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:21:18.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uri",
"vendor": "lambdaisland",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.120"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn\u0027t handle the backslash (`\\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T20:20:08.358Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"
},
{
"name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"
}
],
"source": {
"advisory": "GHSA-cp4w-6x4w-v2h5",
"discovery": "UNKNOWN"
},
"title": "`authority-regex` returns the wrong authority in lambdaisland/uri"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28628",
"datePublished": "2023-03-27T20:20:08.358Z",
"dateReserved": "2023-03-20T12:19:47.207Z",
"dateUpdated": "2025-02-19T15:21:18.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28643 (GCVE-0-2023-28643)
Vulnerability from cvelistv5 – Published: 2023-03-30 18:31 – Updated: 2025-02-11 18:54
VLAI
Title
Potential share collision for recipients when caching is enabled in nextcloud server
Summary
Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.
Severity
5.5 (Medium)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/issues/34015 | x_refsource_MISC |
| https://github.com/nextcloud/server/pull/36047 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 24.0.9
Affected: >= 25.0.0, < 25.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27"
},
{
"name": "https://github.com/nextcloud/server/issues/34015",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/issues/34015"
},
{
"name": "https://github.com/nextcloud/server/pull/36047",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/pull/36047"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T18:52:10.905259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T18:54:04.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 24.0.9"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-30T18:31:31.609Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27"
},
{
"name": "https://github.com/nextcloud/server/issues/34015",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/issues/34015"
},
{
"name": "https://github.com/nextcloud/server/pull/36047",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/36047"
}
],
"source": {
"advisory": "GHSA-hhq4-4pr8-wm27",
"discovery": "UNKNOWN"
},
"title": "Potential share collision for recipients when caching is enabled in nextcloud server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28643",
"datePublished": "2023-03-30T18:31:31.609Z",
"dateReserved": "2023-03-20T12:19:47.209Z",
"dateUpdated": "2025-02-11T18:54:04.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42125 (GCVE-0-2023-42125)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:13 – Updated: 2024-09-20 19:07
VLAI
Title
Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability
Summary
Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the implementation of the sandbox feature. By creating a symbolic link, an attacker can abuse the service to create arbitrary namespace objects. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
. Was ZDI-CAN-20383.
Severity
7.8 (High)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Avast | Premium Security |
Affected:
Avast Premium Security 22.12.6044 (build 22.12.7758.769)
|
Date Public
2023-09-27 22:21
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:avast:premium_security:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "premium_security",
"vendor": "avast",
"versions": [
{
"status": "affected",
"version": "22.12.6044 (build 22.12.7758.769)"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:42:08.317986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:07:41.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:50.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1475",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1475/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Premium Security",
"vendor": "Avast",
"versions": [
{
"status": "affected",
"version": "Avast Premium Security 22.12.6044 (build 22.12.7758.769)"
}
]
}
],
"dateAssigned": "2023-09-06T21:25:45.534Z",
"datePublic": "2023-09-27T22:21:28.201Z",
"descriptions": [
{
"lang": "en",
"value": "Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the sandbox feature. By creating a symbolic link, an attacker can abuse the service to create arbitrary namespace objects. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.\n. Was ZDI-CAN-20383."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T18:30:13.844Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1475",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1475/"
}
],
"source": {
"lang": "en",
"value": "Abdelhamid Naceri"
},
"title": "Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-42125",
"datePublished": "2024-05-03T02:13:31.242Z",
"dateReserved": "2023-09-06T21:14:24.437Z",
"dateUpdated": "2024-09-20T19:07:41.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42451 (GCVE-0-2023-42451)
Vulnerability from cvelistv5 – Published: 2023-09-19 15:56 – Updated: 2024-09-24 20:36
VLAI
Title
Mastodon Invalid Domain Name Normalization vulnerability
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
Severity
7.4 (High)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mastodon/mastodon/security/adv… | x_refsource_CONFIRM |
| https://github.com/mastodon/mastodon/commit/eeab3… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:35:55.298815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:36:19.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.10"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T15:56:46.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"source": {
"advisory": "GHSA-v3xf-c9qf-j667",
"discovery": "UNKNOWN"
},
"title": "Mastodon Invalid Domain Name Normalization vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42451",
"datePublished": "2023-09-19T15:56:46.962Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-09-24T20:36:19.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27292 (GCVE-0-2024-27292)
Vulnerability from cvelistv5 – Published: 2024-02-29 21:56 – Updated: 2024-08-02 19:27
VLAI
Title
Docassemble unauthorized access through URL manipulation
Summary
Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
Severity
7.5 (High)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jhpyle/docassemble/security/ad… | x_refsource_CONFIRM |
| https://github.com/jhpyle/docassemble/commit/97f7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jhpyle | docassemble |
Affected:
>= 1.4.53, < 1.4.97
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv"
},
{
"name": "https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jhpyle:docassemble:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "docassemble",
"vendor": "jhpyle",
"versions": [
{
"lessThan": "1.4.97",
"status": "affected",
"version": "1.4.53",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:26:12.962251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:27:42.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "docassemble",
"vendor": "jhpyle",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.53, \u003c 1.4.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T21:56:39.897Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv"
},
{
"name": "https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9"
}
],
"source": {
"advisory": "GHSA-jq57-3w7p-vwvv",
"discovery": "UNKNOWN"
},
"title": "Docassemble unauthorized access through URL manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27292",
"datePublished": "2024-02-29T21:56:39.897Z",
"dateReserved": "2024-02-22T18:08:38.874Z",
"dateUpdated": "2024-08-02T19:27:42.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27295 (GCVE-0-2024-27295)
Vulnerability from cvelistv5 – Published: 2024-03-01 15:37 – Updated: 2024-08-28 16:24
VLAI
Title
Directus MySQL accent insensitive email matching
Summary
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.
Severity
8.2 (High)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/directus/directus/security/adv… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:28:00.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:directus:directus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "directus",
"vendor": "directus",
"versions": [
{
"lessThan": "10.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T19:45:59.512255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T16:24:04.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 10.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-01T15:37:09.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5"
}
],
"source": {
"advisory": "GHSA-qw9g-7549-7wg5",
"discovery": "UNKNOWN"
},
"title": "Directus MySQL accent insensitive email matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27295",
"datePublished": "2024-03-01T15:37:09.617Z",
"dateReserved": "2024-02-22T18:08:38.874Z",
"dateUpdated": "2024-08-28T16:24:04.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35198 (GCVE-0-2024-35198)
Vulnerability from cvelistv5 – Published: 2024-07-18 22:40 – Updated: 2024-08-07 16:00
VLAI
Title
TorchServe bypass allowed_urls configuration
Summary
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as ".." before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.8 (Critical)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pytorch/serve/security/advisor… | x_refsource_CONFIRM |
| https://github.com/pytorch/serve/pull/3082 | x_refsource_MISC |
| https://github.com/pytorch/serve/releases/tag/v0.11.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T16:58:05.654373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T16:58:12.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.750Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2"
},
{
"name": "https://github.com/pytorch/serve/pull/3082",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pytorch/serve/pull/3082"
},
{
"name": "https://github.com/pytorch/serve/releases/tag/v0.11.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pytorch/serve/releases/tag/v0.11.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "serve",
"vendor": "pytorch",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.2, \u003c 0.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe \u0027s check on allowed_urls configuration can be by-passed if the URL contains characters such as \"..\" but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as \"..\" before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T16:00:46.093Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2"
},
{
"name": "https://github.com/pytorch/serve/pull/3082",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pytorch/serve/pull/3082"
},
{
"name": "https://github.com/pytorch/serve/releases/tag/v0.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pytorch/serve/releases/tag/v0.11.0"
}
],
"source": {
"advisory": "GHSA-wxcx-gg9c-fwp2",
"discovery": "UNKNOWN"
},
"title": "TorchServe bypass allowed_urls configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35198",
"datePublished": "2024-07-18T22:40:08.176Z",
"dateReserved": "2024-05-10T14:24:24.343Z",
"dateUpdated": "2024-08-07T16:00:46.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45305 (GCVE-0-2024-45305)
Vulnerability from cvelistv5 – Published: 2024-09-02 16:30 – Updated: 2024-09-03 14:12
VLAI
Title
gix-path uses local config across repos when it is the highest scope
Summary
gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository's remote. In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest scope. It is believed to be very difficult to exploit this vulnerability deliberately, due to the need either to anticipate a situation in which higher-scoped configuration variables would be absent, or to arrange for this to happen. Although any operating system may be affected, users running Apple Git on macOS are much less likely to be affected. This issue has been addressed in release version 0.10.10. All users are advised to upgrade.
Severity
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/Byron/gitoxide/security/adviso… | x_refsource_CONFIRM |
| https://git-scm.com/docs/git-config#SCOPES | x_refsource_MISC |
| https://github.com/Byron/gitoxide/blob/12251eb052… | x_refsource_MISC |
| https://github.com/Byron/gitoxide/blob/12251eb052… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gitoxide",
"vendor": "byron",
"versions": [
{
"lessThan": "0.10.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45305",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T13:50:56.774992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:12:44.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gitoxide",
"vendor": "Byron",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository\u0027s configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository\u0027s remote. In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest scope. It is believed to be very difficult to exploit this vulnerability deliberately, due to the need either to anticipate a situation in which higher-scoped configuration variables would be absent, or to arrange for this to happen. Although any operating system may be affected, users running Apple Git on macOS are much less likely to be affected. This issue has been addressed in release version 0.10.10. All users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T16:30:25.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6"
},
{
"name": "https://git-scm.com/docs/git-config#SCOPES",
"tags": [
"x_refsource_MISC"
],
"url": "https://git-scm.com/docs/git-config#SCOPES"
},
{
"name": "https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L112",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L112"
},
{
"name": "https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91"
}
],
"source": {
"advisory": "GHSA-v26r-4c9c-h3j6",
"discovery": "UNKNOWN"
},
"title": "gix-path uses local config across repos when it is the highest scope"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45305",
"datePublished": "2024-09-02T16:30:25.446Z",
"dateReserved": "2024-08-26T18:25:35.443Z",
"dateUpdated": "2024-09-03T14:12:44.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51746 (GCVE-0-2024-51746)
Vulnerability from cvelistv5 – Published: 2024-11-05 18:54 – Updated: 2024-11-05 20:30
VLAI
Title
Use of incorrect Rekor entries during verification in gitsign
Summary
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.
Severity
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sigstore/gitsign/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:go:*:*"
],
"defaultStatus": "unknown",
"product": "gitsign",
"vendor": "sigstore",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T20:18:07.672798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T20:30:02.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gitsign",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor\u0027s search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign\u0027s credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry\u0027s hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:54:58.135Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"
}
],
"source": {
"advisory": "GHSA-8pmp-678w-c8xx",
"discovery": "UNKNOWN"
},
"title": "Use of incorrect Rekor entries during verification in gitsign"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51746",
"datePublished": "2024-11-05T18:54:39.494Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-05T20:30:02.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52515 (GCVE-0-2024-52515)
Vulnerability from cvelistv5 – Published: 2024-11-15 17:03 – Updated: 2024-11-15 17:32
VLAI
Title
Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews
Summary
Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.
Severity
5.7 (Medium)
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/45340 | x_refsource_MISC |
| https://github.com/nextcloud/server/commit/7e1c30… | x_refsource_MISC |
| https://hackerone.com/reports/2484499 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 29.0.0, < 29.0.1
Affected: >= 28.0.0, < 28.0.6 Affected: >= 27.0.0, < 27.1.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:32:28.374271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:32:49.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 29.0.0, \u003c 29.0.1"
},
{
"status": "affected",
"version": "\u003e= 28.0.0, \u003c 28.0.6"
},
{
"status": "affected",
"version": "\u003e= 27.0.0, \u003c 27.1.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:03:09.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236"
},
{
"name": "https://github.com/nextcloud/server/pull/45340",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/45340"
},
{
"name": "https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32604",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32604"
},
{
"name": "https://hackerone.com/reports/2484499",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2484499"
}
],
"source": {
"advisory": "GHSA-5m5g-hw8c-2236",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52515",
"datePublished": "2024-11-15T17:03:09.033Z",
"dateReserved": "2024-11-11T18:49:23.559Z",
"dateUpdated": "2024-11-15T17:32:49.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-159: Redirect Access to Libraries
An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.
CAPEC-177: Create files with the same name as files protected with a higher classification
An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.
CAPEC-48: Passing Local Filenames to Functions That Expect a URL
This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
CAPEC-641: DLL Side-Loading
An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.