Publish Advisories

GHSA-rhq2-3vr9-6mcr GHSA-29vr-79w7-p649 GHSA-f8xq-q7px-wg8c GHSA-xr2c-5w89-63pv GHSA-8m5q-crqq-6pmf GHSA-8cw2-jv5c-c825 GHSA-cjw4-2w9r-r8mv GHSA-26qj-cr27-r5c4 GHSA-374w-gwqr-fmxg GHSA-5ww9-9qp2-x524 GHSA-64qm-hrgp-pgr9 GHSA-73pr-g6jj-5hc9 GHSA-fj34-jhjx-xmvv GHSA-g28x-pgr3-qqx6 GHSA-gvxv-p9rv-gmcg GHSA-hrf3-622q-8366 GHSA-pf6p-25r2-fx45 GHSA-rcxc-3w2m-mp8h GHSA-xhp9-4947-rq78 GHSA-3hhc-qp5v-9p2j GHSA-7943-82jg-wmw5 GHSA-977c-63xq-cgw3 GHSA-hm37-9xh2-q499 GHSA-wrxv-2j5q-m38w
uricamatthews-gmail-com · Jul 13, 2022 · 7878430 · 7878430
1 parent 1c7dc3a
commit 7878430
Show file tree

Hide file tree

Showing 24 changed files with 167 additions and 14 deletions.
diff --git a/advisories/github-reviewed/2022/01/GHSA-rhq2-3vr9-6mcr/GHSA-rhq2-3vr9-6mcr.json b/advisories/github-reviewed/2022/01/GHSA-rhq2-3vr9-6mcr/GHSA-rhq2-3vr9-6mcr.json
@@ -48,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/gradio-app/gradio/commit/41bd3645bdb616e1248b2167ca83636a2653f781"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2021-873.yaml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/gradio-app/gradio"

diff --git a/advisories/github-reviewed/2022/03/GHSA-29vr-79w7-p649/GHSA-29vr-79w7-p649.json b/advisories/github-reviewed/2022/03/GHSA-29vr-79w7-p649/GHSA-29vr-79w7-p649.json
@@ -47,6 +47,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/Gerapy/Gerapy/releases/tag/v0.9.8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gerapy/PYSEC-2022-228.yaml"
     }
   ],
   "database_specific": {

diff --git a/advisories/github-reviewed/2022/03/GHSA-f8xq-q7px-wg8c/GHSA-f8xq-q7px-wg8c.json b/advisories/github-reviewed/2022/03/GHSA-f8xq-q7px-wg8c/GHSA-f8xq-q7px-wg8c.json
@@ -52,6 +52,10 @@
       "type": "WEB",
       "url": "https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/gradio-app/gradio"

diff --git a/advisories/github-reviewed/2022/03/GHSA-xr2c-5w89-63pv/GHSA-xr2c-5w89-63pv.json b/advisories/github-reviewed/2022/03/GHSA-xr2c-5w89-63pv/GHSA-xr2c-5w89-63pv.json
@@ -44,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/python-poetry/poetry-core/pull/205/commits/fa9cb6f358ae840885c700f954317f34838caba7"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/poetry/PYSEC-2022-234.yaml"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/python-poetry/poetry/releases/tag/1.1.9"

diff --git a/...A-8m5q-crqq-6pmf/GHSA-8m5q-crqq-6pmf.json → ...A-8m5q-crqq-6pmf/GHSA-8m5q-crqq-6pmf.json b/...A-8m5q-crqq-6pmf/GHSA-8m5q-crqq-6pmf.json → ...A-8m5q-crqq-6pmf/GHSA-8m5q-crqq-6pmf.json
@@ -1,17 +1,39 @@
 {
   "schema_version": "1.2.0",
   "id": "GHSA-8m5q-crqq-6pmf",
-  "modified": "2022-04-23T00:40:23Z",
+  "modified": "2022-07-13T19:27:31Z",
   "published": "2022-04-23T00:40:23Z",
   "aliases": [
     "CVE-2012-1592"
   ],
-  "details": "A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.",
+  "summary": "Unrestricted Upload of File with Dangerous Type in Apache Struts2",
+  "details": "A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. A patch exists as of version 2.5.22.",
   "severity": [
-
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.struts:struts2-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0"
+            },
+            {
+              "fixed": "2.5.22"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -26,6 +48,14 @@
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.apache.org/jira/browse/WW-5055"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E"
@@ -38,20 +68,32 @@
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E"
     },
+    {
+      "type": "WEB",
+      "url": "https://seclists.org/bugtraq/2012/Mar/110"
+    },
     {
       "type": "WEB",
       "url": "https://security-tracker.debian.org/tracker/CVE-2012-1592"
     },
+    {
+      "type": "WEB",
+      "url": "https://struts.apache.org/security/#internal-security-mechanism"
+    },
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2012/03/28/12"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/struts"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-
+      "CWE-434"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false
+    "severity": "HIGH",
+    "github_reviewed": true
   }
 }
diff --git a/advisories/github-reviewed/2022/05/GHSA-8cw2-jv5c-c825/GHSA-8cw2-jv5c-c825.json b/advisories/github-reviewed/2022/05/GHSA-8cw2-jv5c-c825/GHSA-8cw2-jv5c-c825.json
@@ -59,6 +59,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12408"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12408.yml"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"

diff --git a/advisories/github-reviewed/2022/05/GHSA-cjw4-2w9r-r8mv/GHSA-cjw4-2w9r-r8mv.json b/advisories/github-reviewed/2022/05/GHSA-cjw4-2w9r-r8mv/GHSA-cjw4-2w9r-r8mv.json
@@ -59,6 +59,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12410"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12410.yml"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"

diff --git a/advisories/github-reviewed/2022/06/GHSA-26qj-cr27-r5c4/GHSA-26qj-cr27-r5c4.json b/advisories/github-reviewed/2022/06/GHSA-26qj-cr27-r5c4/GHSA-26qj-cr27-r5c4.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.2.0",
   "id": "GHSA-26qj-cr27-r5c4",
-  "modified": "2022-06-29T21:48:05Z",
+  "modified": "2022-07-13T19:17:23Z",
   "published": "2022-06-15T21:24:14Z",
   "aliases": [
     "CVE-2022-31071"
@@ -51,6 +51,10 @@
       "type": "WEB",
       "url": "https://github.com/octokit/octopoller.rb/commit/abed2b8d05abe2cc3eb6bdfb34e53d465e7c7874"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/octopoller/CVE-2022-31071.yml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/octokit/octopoller.rb"

diff --git a/advisories/github-reviewed/2022/06/GHSA-374w-gwqr-fmxg/GHSA-374w-gwqr-fmxg.json b/advisories/github-reviewed/2022/06/GHSA-374w-gwqr-fmxg/GHSA-374w-gwqr-fmxg.json
@@ -52,6 +52,10 @@
     }
   ],
   "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33154"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/brotkrueml/schema/CVE-2022-33154.yaml"

diff --git a/advisories/github-reviewed/2022/06/GHSA-5ww9-9qp2-x524/GHSA-5ww9-9qp2-x524.json b/advisories/github-reviewed/2022/06/GHSA-5ww9-9qp2-x524/GHSA-5ww9-9qp2-x524.json
@@ -44,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/diffy/CVE-2022-33127.yml"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1"

diff --git a/advisories/github-reviewed/2022/06/GHSA-64qm-hrgp-pgr9/GHSA-64qm-hrgp-pgr9.json b/advisories/github-reviewed/2022/06/GHSA-64qm-hrgp-pgr9/GHSA-64qm-hrgp-pgr9.json
@@ -1,15 +1,18 @@
 {
   "schema_version": "1.2.0",
   "id": "GHSA-64qm-hrgp-pgr9",
-  "modified": "2022-06-09T23:47:57Z",
+  "modified": "2022-07-13T19:25:44Z",
   "published": "2022-06-09T23:47:57Z",
   "aliases": [
     "CVE-2022-31033"
   ],
   "summary": "Authorization header leak on port redirect in mechanize",
   "details": "**Summary**\n\nMechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a redirect to a different port on the same site.\n\n**Mitigation**\n\nUpgrade to Mechanize v2.8.5 or later.\n\n**Notes**\n\nSee [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.\n\nCookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:\n\n> Cookies do not provide isolation by port.  If a cookie is readable\n> by a service running on one port, the cookie is also readable by a\n> service running on another port of the same server.  If a cookie is\n> writable by a service on one port, the cookie is also writable by a\n> service running on another port of the same server.  For this\n> reason, servers SHOULD NOT both run mutually distrusting services on\n> different ports of the same host and use cookies to store security-\n> sensitive information.\n",
   "severity": [
-
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
   ],
   "affected": [
     {
@@ -45,13 +48,18 @@
       "type": "WEB",
       "url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2022-31033.yml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/sparklemotion/mechanize"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-200",
       "CWE-522"
     ],
     "severity": "MODERATE",

diff --git a/advisories/github-reviewed/2022/06/GHSA-73pr-g6jj-5hc9/GHSA-73pr-g6jj-5hc9.json b/advisories/github-reviewed/2022/06/GHSA-73pr-g6jj-5hc9/GHSA-73pr-g6jj-5hc9.json
@@ -40,6 +40,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3779"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-mysql/CVE-2021-3779.yml"
+    },
     {
       "type": "WEB",
       "url": "https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/"

diff --git a/advisories/github-reviewed/2022/06/GHSA-fj34-jhjx-xmvv/GHSA-fj34-jhjx-xmvv.json b/advisories/github-reviewed/2022/06/GHSA-fj34-jhjx-xmvv/GHSA-fj34-jhjx-xmvv.json
@@ -48,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dragonfly/CVE-2021-33473.yml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/markevans/dragonfly"

diff --git a/advisories/github-reviewed/2022/06/GHSA-g28x-pgr3-qqx6/GHSA-g28x-pgr3-qqx6.json b/advisories/github-reviewed/2022/06/GHSA-g28x-pgr3-qqx6/GHSA-g28x-pgr3-qqx6.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.2.0",
   "id": "GHSA-g28x-pgr3-qqx6",
-  "modified": "2022-06-29T21:48:03Z",
+  "modified": "2022-07-13T19:19:18Z",
   "published": "2022-06-15T21:24:16Z",
   "aliases": [
     "CVE-2022-31072"
@@ -48,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/octokit/CVE-2022-31072.yml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/octokit/octokit.rb"

diff --git a/advisories/github-reviewed/2022/06/GHSA-gvxv-p9rv-gmcg/GHSA-gvxv-p9rv-gmcg.json b/advisories/github-reviewed/2022/06/GHSA-gvxv-p9rv-gmcg/GHSA-gvxv-p9rv-gmcg.json
@@ -33,6 +33,10 @@
     }
   ],
   "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33156"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/brotkrueml/typo3-matomo-integration/CVE-2022-33156.yaml"

diff --git a/advisories/github-reviewed/2022/06/GHSA-hrf3-622q-8366/GHSA-hrf3-622q-8366.json b/advisories/github-reviewed/2022/06/GHSA-hrf3-622q-8366/GHSA-hrf3-622q-8366.json
@@ -44,6 +44,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31605"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/NVIDIA/NVFlare"

diff --git a/advisories/github-reviewed/2022/06/GHSA-pf6p-25r2-fx45/GHSA-pf6p-25r2-fx45.json b/advisories/github-reviewed/2022/06/GHSA-pf6p-25r2-fx45/GHSA-pf6p-25r2-fx45.json
@@ -44,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-0085.yaml"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236"

diff --git a/advisories/github-reviewed/2022/06/GHSA-rcxc-3w2m-mp8h/GHSA-rcxc-3w2m-mp8h.json b/advisories/github-reviewed/2022/06/GHSA-rcxc-3w2m-mp8h/GHSA-rcxc-3w2m-mp8h.json
@@ -44,6 +44,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31604"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-231.yaml"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/NVIDIA/NVFlare"

diff --git a/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json b/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/bottlepy/bottle/compare/0.12.19...0.12.20"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2022-227.yaml"
+    },
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00010.html"

diff --git a/advisories/github-reviewed/2022/07/GHSA-3hhc-qp5v-9p2j/GHSA-3hhc-qp5v-9p2j.json b/advisories/github-reviewed/2022/07/GHSA-3hhc-qp5v-9p2j/GHSA-3hhc-qp5v-9p2j.json
@@ -114,6 +114,14 @@
       "type": "WEB",
       "url": "https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/rails/rails/commits/main/activerecord"

diff --git a/advisories/github-reviewed/2022/07/GHSA-7943-82jg-wmw5/GHSA-7943-82jg-wmw5.json b/advisories/github-reviewed/2022/07/GHSA-7943-82jg-wmw5/GHSA-7943-82jg-wmw5.json
@@ -78,6 +78,18 @@
       "type": "WEB",
       "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31105"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.4.5"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/argoproj/argo-cd"