Search criteria
7 vulnerabilities by galaxyproject
CVE-2024-42351 (GCVE-0-2024-42351)
Vulnerability from cvelistv5 – Published: 2024-09-20 18:56 – Updated: 2024-09-20 20:08
VLAI?
Summary
Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. An attacker can potentially replace the contents of public datasets resulting in data loss or tampering. All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| galaxyproject | galaxy |
Affected:
< 21.05
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T20:07:43.387462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T20:08:03.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"status": "affected",
"version": "\u003c 21.05"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. An attacker can potentially replace the contents of public datasets resulting in data loss or tampering. All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:56:53.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-5639-cmph-9j4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-5639-cmph-9j4v"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2024-0001/022da344a02bafd604402ac8e253e0014f6e2e08.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2024-0001/022da344a02bafd604402ac8e253e0014f6e2e08.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2024-0001/15060a6cb222f2fcfc687d0f0260f1eb1b9c757b.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2024-0001/15060a6cb222f2fcfc687d0f0260f1eb1b9c757b.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch"
}
],
"source": {
"advisory": "GHSA-5639-cmph-9j4v",
"discovery": "UNKNOWN"
},
"title": "Possible Data Tampering \u0026 Loss of Public Datasets in Galaxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42351",
"datePublished": "2024-09-20T18:56:53.987Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-09-20T20:08:03.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42346 (GCVE-0-2024-42346)
Vulnerability from cvelistv5 – Published: 2024-09-20 18:53 – Updated: 2024-09-20 20:09
VLAI?
Summary
Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| galaxyproject | galaxy |
Affected:
< 24.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T20:09:17.107200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T20:09:40.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"status": "affected",
"version": "\u003c 24.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:53:01.373Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-x6w7-3gwf-qr9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-x6w7-3gwf-qr9r"
}
],
"source": {
"advisory": "GHSA-x6w7-3gwf-qr9r",
"discovery": "UNKNOWN"
},
"title": "Stored Cross Site Scripting (Stored XSS) in Galaxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42346",
"datePublished": "2024-09-20T18:53:01.373Z",
"dateReserved": "2024-07-30T14:01:33.921Z",
"dateUpdated": "2024-09-20T20:09:40.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42812 (GCVE-0-2023-42812)
Vulnerability from cvelistv5 – Published: 2023-09-22 16:07 – Updated: 2024-09-24 14:25
VLAI?
Summary
Galaxy is an open-source platform for FAIR data analysis. Prior to version 22.05, Galaxy is vulnerable to server-side request forgery, which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. Version 22.05 contains a patch for this issue.
Severity ?
6.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| galaxyproject | galaxy |
Affected:
< 22.05
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:23.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-vf5q-r8p9-35xh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-vf5q-r8p9-35xh"
},
{
"name": "https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:galaxyproject:galaxy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"lessThan": "22.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:16:11.186927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:25:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"status": "affected",
"version": "\u003c 22.05"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Galaxy is an open-source platform for FAIR data analysis. Prior to version 22.05, Galaxy is vulnerable to server-side request forgery, which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. Version 22.05 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-22T16:07:02.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-vf5q-r8p9-35xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-vf5q-r8p9-35xh"
},
{
"name": "https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py"
}
],
"source": {
"advisory": "GHSA-vf5q-r8p9-35xh",
"discovery": "UNKNOWN"
},
"title": "Galaxy vulnerable to Server Side Request Forgery during data imports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42812",
"datePublished": "2023-09-22T16:07:02.731Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-09-24T14:25:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27578 (GCVE-0-2023-27578)
Vulnerability from cvelistv5 – Published: 2023-03-20 19:00 – Updated: 2025-02-25 14:52
VLAI?
Summary
Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| galaxyproject | galaxy |
Affected:
< 22.01
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:30:15.871358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:52:07.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"status": "affected",
"version": "\u003c 22.01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-20T19:00:58.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch"
},
{
"name": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch"
}
],
"source": {
"advisory": "GHSA-j8q2-r4g5-f22j",
"discovery": "UNKNOWN"
},
"title": "Galaxy vulnerable to unauthorized modification of pages/visualizations due to insufficient permission check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27578",
"datePublished": "2023-03-20T19:00:58.106Z",
"dateReserved": "2023-03-04T01:03:53.632Z",
"dateUpdated": "2025-02-25T14:52:07.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-10062 (GCVE-0-2015-10062)
Vulnerability from cvelistv5 – Published: 2023-01-17 18:58 – Updated: 2024-08-06 08:58
VLAI?
Summary
A vulnerability, which was classified as problematic, was found in galaxy-data-resource up to 14.10.0. This affects an unknown part of the component Command Line Template. The manipulation leads to injection. Upgrading to version 14.10.1 is able to address this issue. The patch is named 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218451.
Severity ?
5.5 (Medium)
5.5 (Medium)
CWE
- CWE-74 - Injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | galaxy-data-resource |
Affected:
14.0
Affected: 14.1 Affected: 14.2 Affected: 14.3 Affected: 14.4 Affected: 14.5 Affected: 14.6 Affected: 14.7 Affected: 14.8 Affected: 14.9 Affected: 14.10 |
Credits
VulDB GitHub Commit Analyzer
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.218451"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.218451"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/blankenberg/galaxy-data-resource/commit/50d65f45d3f5be5d1fbff2e45ac5cec075f07d42"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/blankenberg/galaxy-data-resource/releases/tag/v14.10.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Command Line Template"
],
"product": "galaxy-data-resource",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "14.0"
},
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "14.2"
},
{
"status": "affected",
"version": "14.3"
},
{
"status": "affected",
"version": "14.4"
},
{
"status": "affected",
"version": "14.5"
},
{
"status": "affected",
"version": "14.6"
},
{
"status": "affected",
"version": "14.7"
},
{
"status": "affected",
"version": "14.8"
},
{
"status": "affected",
"version": "14.9"
},
{
"status": "affected",
"version": "14.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in galaxy-data-resource up to 14.10.0. This affects an unknown part of the component Command Line Template. The manipulation leads to injection. Upgrading to version 14.10.1 is able to address this issue. The patch is named 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218451."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in galaxy-data-resource bis 14.10.0 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Command Line Template. Mit der Manipulation mit unbekannten Daten kann eine injection-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 14.10.1 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.2,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T08:34:27.566Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.218451"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.218451"
},
{
"tags": [
"patch"
],
"url": "https://github.com/blankenberg/galaxy-data-resource/commit/50d65f45d3f5be5d1fbff2e45ac5cec075f07d42"
},
{
"tags": [
"patch"
],
"url": "https://github.com/blankenberg/galaxy-data-resource/releases/tag/v14.10.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-01-16T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-01-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-02-09T08:31:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "galaxy-data-resource Command Line Template injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2015-10062",
"datePublished": "2023-01-17T18:58:03.554Z",
"dateReserved": "2023-01-16T18:40:04.967Z",
"dateUpdated": "2024-08-06T08:58:26.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23470 (GCVE-0-2022-23470)
Vulnerability from cvelistv5 – Published: 2022-12-06 17:37 – Updated: 2025-04-23 16:32
VLAI?
Summary
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.
Severity ?
8.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| galaxyproject | galaxy |
Affected:
>= 22.01, <= 22.05
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x"
},
{
"name": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:27.174569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:32:08.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "galaxy",
"vendor": "galaxyproject",
"versions": [
{
"status": "affected",
"version": "\u003e= 22.01, \u003c= 22.05"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy\u0027s internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T17:37:23.638Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x"
},
{
"name": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346"
}
],
"source": {
"advisory": "GHSA-grjf-2ghx-q77x",
"discovery": "UNKNOWN"
},
"title": "Arbitrary file access in the Galaxy data analysis platform"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23470",
"datePublished": "2022-12-06T17:37:23.638Z",
"dateReserved": "2022-01-19T21:23:53.756Z",
"dateUpdated": "2025-04-23T16:32:08.764Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000516 (GCVE-0-2018-1000516)
Vulnerability from cvelistv5 – Published: 2018-06-26 16:00 – Updated: 2024-08-05 12:40
VLAI?
Summary
The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.201Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://galaxyproject.org/archive/dev-news-briefs/2015-01-13/#security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-23T00:00:00",
"datePublic": "2018-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user\u0027s input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-26T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://galaxyproject.org/archive/dev-news-briefs/2015-01-13/#security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-23T11:22:33.019017",
"DATE_REQUESTED": "2018-05-15T09:11:57",
"ID": "CVE-2018-1000516",
"REQUESTER": "mateusz.stahl@codeblanc.it",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user\u0027s input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://galaxyproject.org/archive/dev-news-briefs/2015-01-13/#security",
"refsource": "MISC",
"url": "https://galaxyproject.org/archive/dev-news-briefs/2015-01-13/#security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000516",
"datePublished": "2018-06-26T16:00:00",
"dateReserved": "2018-05-15T00:00:00",
"dateUpdated": "2024-08-05T12:40:47.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}