GitHub Security Advisory

ghsa/composer/craftcms/cms/GHSA-j4mx-98hw-6rv6.json

@@ -19,6 +19,9 @@
       {
         "Url": "https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764"
       },
+      {
+        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31144"
+      },
       {
         "Url": "https://github.com/advisories/GHSA-j4mx-98hw-6rv6"
       }
@@ -38,11 +41,11 @@
     "PublishedAt": "2023-05-05T23:13:02Z",
     "Severity": "MODERATE",
     "Summary": "craftcms/cms vulnerable to cross site scripting in RSS feed widget",
-    "UpdatedAt": "2023-05-05T23:13:02Z",
+    "UpdatedAt": "2023-05-09T18:48:21Z",
     "WithdrawnAt": "",
     "CVSS": {
-      "Score": 0,
-      "VectorString": ""
+      "Score": 6.1,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
     }
   },
   "Versions": [

ghsa/composer/drupal/core/GHSA-6955-67hm-vjjq.json

@@ -44,11 +44,11 @@
     "PublishedAt": "2022-08-06T09:33:38Z",
     "Severity": "HIGH",
     "Summary": "Drupal core arbitrary PHP code execution",
-    "UpdatedAt": "2023-04-26T16:58:13Z",
+    "UpdatedAt": "2023-05-10T00:36:31Z",
     "WithdrawnAt": "",
     "CVSS": {
-      "Score": 0,
-      "VectorString": ""
+      "Score": 7.2,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
     }
   },
   "Versions": [

ghsa/composer/francoisjacquet/rosariosis/GHSA-f8hp-grmr-pp7j.json

@@ -1,5 +1,5 @@
 {
-  "Severity": "HIGH",
+  "Severity": "MODERATE",
   "UpdatedAt": "2023-05-02T23:13:23Z",
   "Package": {
     "Ecosystem": "COMPOSER",
@@ -33,13 +33,13 @@
     "Description": "RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.",
     "Origin": "UNSPECIFIED",
     "PublishedAt": "2023-05-02T18:30:20Z",
-    "Severity": "HIGH",
+    "Severity": "MODERATE",
     "Summary": "RosarioSIS vulnerable to CSV Injection",
-    "UpdatedAt": "2023-05-02T23:13:23Z",
+    "UpdatedAt": "2023-05-10T00:34:44Z",
     "WithdrawnAt": "",
     "CVSS": {
-      "Score": 0,
-      "VectorString": ""
+      "Score": 5.4,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
     }
   },
   "Versions": [

ghsa/composer/mautic/core/GHSA-pjpc-87mp-4332.json

@@ -19,6 +19,9 @@
       {
         "Url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25772"
       },
+      {
+        "Url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html"
+      },
       {
         "Url": "https://github.com/advisories/GHSA-pjpc-87mp-4332"
       }
@@ -38,7 +41,7 @@
     "PublishedAt": "2022-05-25T22:36:33Z",
     "Severity": "CRITICAL",
     "Summary": "Cross-site Scripting vulnerability in Mautic's tracking pixel functionality",
-    "UpdatedAt": "2023-01-27T05:03:23Z",
+    "UpdatedAt": "2023-05-10T00:37:04Z",
     "WithdrawnAt": "",
     "CVSS": {
       "Score": 9.6,

ghsa/composer/pimcore/pimcore/GHSA-j5c3-r84f-9596.json

@@ -36,12 +36,12 @@
         "Value": "CVE-2023-30852"
       }
     ],
-    "Description": "### Impact\nIt was observed that the `/admin/misc/script-proxy` API endpoint accessible by an authenticated administrator user and is vulnerable arbitrary JavaScript, CSS file read via the \"scriptPath\" and \"scripts\" parameters. The \"scriptPath\" parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of \"../\" patterns to go out from the application webroot followed by path of the folder where the file is located in the \"scriptPath\" parameter and the file name in the \"scripts\" parameter. The JavaScript file is successfully read only if the web application has read access to it.\n\n### Patches\nUpdate to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/1d128404eddf4beb560d434437347da7aea059eb.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/pimcore/commit/1d128404eddf4beb560d434437347da7aea059eb.patch manually.\n\n### References\nhttps://github.com/pimcore/pimcore/pull/14959\n",
+    "Description": "### Impact\n\nIt was observed that the `/admin/misc/script-proxy` API endpoint accessible by an authenticated administrator user and is vulnerable arbitrary JavaScript, CSS file read via the \"scriptPath\" and \"scripts\" parameters. The \"scriptPath\" parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of \"../\" patterns to go out from the application webroot followed by path of the folder where the file is located in the \"scriptPath\" parameter and the file name in the \"scripts\" parameter. The JavaScript file is successfully read only if the web application has read access to it.\n\n### Patches\nUpdate to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/1d128404eddf4beb560d434437347da7aea059eb.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/pimcore/commit/1d128404eddf4beb560d434437347da7aea059eb.patch manually.\n\n### References\nhttps://github.com/pimcore/pimcore/pull/14959\n",
     "Origin": "UNSPECIFIED",
     "PublishedAt": "2023-04-27T23:10:03Z",
     "Severity": "MODERATE",
     "Summary": "Arbitrary File Read in Admin JS CSS files",
-    "UpdatedAt": "2023-04-27T23:10:05Z",
+    "UpdatedAt": "2023-05-09T18:52:33Z",
     "WithdrawnAt": "",
     "CVSS": {
       "Score": 4.4,

ghsa/composer/thorsten/phpmyfaq/GHSA-r69v-q48g-3966.json

@@ -0,0 +1,56 @@
+{
+  "Severity": "MODERATE",
+  "UpdatedAt": "2023-05-09T20:53:09Z",
+  "Package": {
+    "Ecosystem": "COMPOSER",
+    "Name": "thorsten/phpmyfaq"
+  },
+  "Advisory": {
+    "DatabaseId": 209047,
+    "Id": "GSA_kwCzR0hTQS1yNjl2LXE0OGctMzk2Ns4AAzCX",
+    "GhsaId": "GHSA-r69v-q48g-3966",
+    "References": [
+      {
+        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2429"
+      },
+      {
+        "Url": "https://github.com/thorsten/phpmyfaq/commit/07552f5577ff8b1e6f7cdefafcce9b2a744d3a24"
+      },
+      {
+        "Url": "https://huntr.dev/bounties/20d3a0b3-2693-4bf1-b196-10741201a540"
+      },
+      {
+        "Url": "https://github.com/advisories/GHSA-r69v-q48g-3966"
+      }
+    ],
+    "Identifiers": [
+      {
+        "Type": "GHSA",
+        "Value": "GHSA-r69v-q48g-3966"
+      },
+      {
+        "Type": "CVE",
+        "Value": "CVE-2023-2429"
+      }
+    ],
+    "Description": "phpMyFAQ prior to version 3.1.13 does not properly validate email addresses when updating user profiles. This vulnerability allows an attacker to manipulate their email address and change it to another email address that is already registered in the system, including email addresses belonging to other users such as the administrator. Once the attacker has control of the other user's email address, they can request to remove the user from the system, leading to a loss of data and access.",
+    "Origin": "UNSPECIFIED",
+    "PublishedAt": "2023-04-30T03:30:26Z",
+    "Severity": "MODERATE",
+    "Summary": "phpMyFAQ Improper Access Control vulnerability",
+    "UpdatedAt": "2023-05-09T20:53:09Z",
+    "WithdrawnAt": "",
+    "CVSS": {
+      "Score": 6.6,
+      "VectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"
+    }
+  },
+  "Versions": [
+    {
+      "FirstPatchedVersion": {
+        "Identifier": "3.1.13"
+      },
+      "VulnerableVersionRange": "\u003c 3.1.13"
+    }
+  ]
+}

ghsa/go/github.com/fluid-cloudnative/fluid/GHSA-93xx-cvmc-9w3v.json

@@ -0,0 +1,62 @@
+{
+  "Severity": "MODERATE",
+  "UpdatedAt": "2023-05-09T19:58:47Z",
+  "Package": {
+    "Ecosystem": "GO",
+    "Name": "github.com/fluid-cloudnative/fluid"
+  },
+  "Advisory": {
+    "DatabaseId": 209720,
+    "Id": "GSA_kwCzR0hTQS05M3h4LWN2bWMtOXczds4AAzM4",
+    "GhsaId": "GHSA-93xx-cvmc-9w3v",
+    "References": [
+      {
+        "Url": "https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-93xx-cvmc-9w3v"
+      },
+      {
+        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30840"
+      },
+      {
+        "Url": "https://github.com/fluid-cloudnative/fluid/commit/77c8110a3d1ec077ae2bce6bd88d296505db1550"
+      },
+      {
+        "Url": "https://github.com/fluid-cloudnative/fluid/commit/91c05c32db131997b5ca065e869c9918a125c149"
+      },
+      {
+        "Url": "https://github.com/fluid-cloudnative/fluid/releases/tag/v0.8.6"
+      },
+      {
+        "Url": "https://github.com/advisories/GHSA-93xx-cvmc-9w3v"
+      }
+    ],
+    "Identifiers": [
+      {
+        "Type": "GHSA",
+        "Value": "GHSA-93xx-cvmc-9w3v"
+      },
+      {
+        "Type": "CVE",
+        "Value": "CVE-2023-30840"
+      }
+    ],
+    "Description": "### Impact\n\nIf a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), he/she can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks \"list node\" permissions, the attacker may need to use other techniques to identify vulnerable nodes.\n\nOnce the attacker identifies and modifies the node specs, he/she can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows he/she to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster.\n\nTo exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means. Additionally, since the attack is passive and requires patience and luck, the severity of this finding is considered medium.\n\n### Patches\nFor users who're using version \u003c 0.8.6, \u003e= 0.7.0, upgrade to v0.8.6.\n\n### Workarounds\nDelete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively using sidecar mode to mount FUSE file systems is recommended. Refer to [the doc](https://github.com/fluid-cloudnative/fluid/blob/master/docs/en/samples/knative.md) to get a full example of how to use sidecar mode.\n\n### References\n\n\nFixed by [Fix rbacs and limit CSI Plugin's node related access](https://github.com/fluid-cloudnative/fluid/commit/77c8110a3d1ec077ae2bce6bd88d296505db1550)\n\n### Credits\nSpecial thanks to the discoverers of this issue:\n\nNanzi Yang ([[email protected]](mailto:[email protected]))\n",
+    "Origin": "UNSPECIFIED",
+    "PublishedAt": "2023-05-09T19:58:47Z",
+    "Severity": "MODERATE",
+    "Summary": "On a compromised node, the fluid-csi service account can be used to modify node specs",
+    "UpdatedAt": "2023-05-09T19:58:47Z",
+    "WithdrawnAt": "",
+    "CVSS": {
+      "Score": 4,
+      "VectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"
+    }
+  },
+  "Versions": [
+    {
+      "FirstPatchedVersion": {
+        "Identifier": "0.8.6"
+      },
+      "VulnerableVersionRange": "\u003e= 0.7.0, \u003c 0.8.6"
+    }
+  ]
+}

ghsa/go/github.com/prometheus/blackbox_exporter/GHSA-939c-3g97-vpvv.json

@@ -1,5 +1,5 @@
 {
-  "Severity": "MODERATE",
+  "Severity": "HIGH",
   "UpdatedAt": "2023-04-26T15:56:46Z",
   "Package": {
     "Ecosystem": "GO",
@@ -48,13 +48,13 @@
     "Description": "blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources.",
     "Origin": "UNSPECIFIED",
     "PublishedAt": "2023-04-26T00:30:21Z",
-    "Severity": "MODERATE",
+    "Severity": "HIGH",
     "Summary": "Access control issues in blackbox_exporter",
-    "UpdatedAt": "2023-04-28T20:05:20Z",
+    "UpdatedAt": "2023-05-09T20:30:36Z",
     "WithdrawnAt": "",
     "CVSS": {
-      "Score": 0,
-      "VectorString": ""
+      "Score": 7.5,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
     }
   },
   "Versions": [

ghsa/maven/org.apache.streampark/streampark/GHSA-pjfj-qvqw-3f6v.json

@@ -1,5 +1,5 @@
 {
-  "Severity": "HIGH",
+  "Severity": "MODERATE",
   "UpdatedAt": "2023-05-01T22:32:08Z",
   "Package": {
     "Ecosystem": "MAVEN",
@@ -33,13 +33,13 @@
     "Description": "Apache StreamPark versions 1.0.0 to 2.0.0 have an LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n",
     "Origin": "UNSPECIFIED",
     "PublishedAt": "2023-05-01T15:30:26Z",
-    "Severity": "HIGH",
+    "Severity": "MODERATE",
     "Summary": "Apache StreamPark LDAP Injection vulnerability",
-    "UpdatedAt": "2023-05-01T22:32:08Z",
+    "UpdatedAt": "2023-05-09T18:49:27Z",
     "WithdrawnAt": "",
     "CVSS": {
-      "Score": 0,
-      "VectorString": ""
+      "Score": 5.4,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
     }
   },
   "Versions": [

ghsa/maven/org.opensearch.plugin/opensearch-security/GHSA-g8xc-6mf7-h28h.json

@@ -0,0 +1,59 @@
+{
+  "Severity": "MODERATE",
+  "UpdatedAt": "2023-05-09T21:25:06Z",
+  "Package": {
+    "Ecosystem": "MAVEN",
+    "Name": "org.opensearch.plugin:opensearch-security"
+  },
+  "Advisory": {
+    "DatabaseId": 209722,
+    "Id": "GSA_kwCzR0hTQS1nOHhjLTZtZjctaDI4aM4AAzM6",
+    "GhsaId": "GHSA-g8xc-6mf7-h28h",
+    "References": [
+      {
+        "Url": "https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h"
+      },
+      {
+        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31141"
+      },
+      {
+        "Url": "https://github.com/advisories/GHSA-g8xc-6mf7-h28h"
+      }
+    ],
+    "Identifiers": [
+      {
+        "Type": "GHSA",
+        "Value": "GHSA-g8xc-6mf7-h28h"
+      },
+      {
+        "Type": "CVE",
+        "Value": "CVE-2023-31141"
+      }
+    ],
+    "Description": "### Impact\nThere is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours.\n\n### Affected versions\nOpenSearch 1.0.0-1.3.9 and 2.0.0-2.6.0\n\n### Patched versions\nOpenSearch 1.3.10 and 2.7.0\n\n### For more information\nIf you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [email protected]. Please do not create a public GitHub issue.",
+    "Origin": "UNSPECIFIED",
+    "PublishedAt": "2023-05-09T21:25:06Z",
+    "Severity": "MODERATE",
+    "Summary": "OpenSearch issue with fine-grained access control during extremely rare race conditions",
+    "UpdatedAt": "2023-05-09T21:25:06Z",
+    "WithdrawnAt": "",
+    "CVSS": {
+      "Score": 4.8,
+      "VectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
+    }
+  },
+  "Versions": [
+    {
+      "FirstPatchedVersion": {
+        "Identifier": "2.7.0.0"
+      },
+      "VulnerableVersionRange": "\u003e= 2.0.0, \u003c 2.7.0.0"
+    },
+    {
+      "FirstPatchedVersion": {
+        "Identifier": "1.3.10.0"
+      },
+      "VulnerableVersionRange": "\u003e= 1.0.0, \u003c 1.3.10.0"
+    }
+  ]
+}

ghsa/maven/org.xwiki.commons/xwiki-commons-xml/GHSA-pv7v-ph6g-3gxv.json

@@ -0,0 +1,59 @@
+{
+  "Severity": "CRITICAL",
+  "UpdatedAt": "2023-05-09T19:59:32Z",
+  "Package": {
+    "Ecosystem": "MAVEN",
+    "Name": "org.xwiki.commons:xwiki-commons-xml"
+  },
+  "Advisory": {
+    "DatabaseId": 209721,
+    "Id": "GSA_kwCzR0hTQS1wdjd2LXBoNmctM2d4ds4AAzM5",
+    "GhsaId": "GHSA-pv7v-ph6g-3gxv",
+    "References": [
+      {
+        "Url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv"
+      },
+      {
+        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31126"
+      },
+      {
+        "Url": "https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68"
+      },
+      {
+        "Url": "https://jira.xwiki.org/browse/XCOMMONS-2606"
+      },
+      {
+        "Url": "https://github.com/advisories/GHSA-pv7v-ph6g-3gxv"
+      }
+    ],
+    "Identifiers": [
+      {
+        "Type": "GHSA",
+        "Value": "GHSA-pv7v-ph6g-3gxv"
+      },
+      {
+        "Type": "CVE",
+        "Value": "CVE-2023-31126"
+      }
+    ],
+    "Description": "### Impact\nThe HTML sanitizer, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki: \n\n```\n[[Link1\u003e\u003ehttps://XWiki.example.com||data-x/onmouseover=\"alert('XSS1')\"]].\n```\n\nWhen a user moves the mouse over this link, the malicious JavaScript code is executed in the context of the user session. When this user is a privileged user who has programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.\n\nNote that this vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `\u003e` are removed in all attribute names.\n\n### Patches\nThis problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters.\n\n### Workarounds\nThere are no known workarounds apart from upgrading to a version including the fix.\n\n### References\n* https://jira.xwiki.org/browse/XCOMMONS-2606\n* https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org/)\n* Email us at [XWiki Security mailing-list](mailto:[email protected])",
+    "Origin": "UNSPECIFIED",
+    "PublishedAt": "2023-05-09T19:59:31Z",
+    "Severity": "CRITICAL",
+    "Summary": "Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml",
+    "UpdatedAt": "2023-05-09T19:59:32Z",
+    "WithdrawnAt": "",
+    "CVSS": {
+      "Score": 9,
+      "VectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
+    }
+  },
+  "Versions": [
+    {
+      "FirstPatchedVersion": {
+        "Identifier": "14.10.4"
+      },
+      "VulnerableVersionRange": "\u003e= 14.6-rc-1, \u003c 14.10.4"
+    }
+  ]
+}