Publish Advisories

GHSA-2r87-74cx-2p7c
GHSA-9j3m-fr7q-jxfw
GHSA-r279-47wg-chpr
GHSA-x6mh-rjwm-8ph7

advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2r87-74cx-2p7c",
-  "modified": "2024-12-12T19:21:06Z",
+  "modified": "2024-12-12T22:33:07Z",
   "published": "2024-12-12T19:21:06Z",
   "aliases": [
     "CVE-2024-55877"
@@ -78,6 +78,10 @@
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55877"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3"
@@ -98,6 +102,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-12T19:21:06Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2024-12-12T20:15:21Z"
   }
 }

advisories/github-reviewed/2024/12/GHSA-9j3m-fr7q-jxfw/GHSA-9j3m-fr7q-jxfw.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9j3m-fr7q-jxfw",
-  "modified": "2024-12-12T19:22:39Z",
+  "modified": "2024-12-12T22:32:54Z",
   "published": "2024-12-12T19:22:39Z",
   "aliases": [
     "CVE-2024-55885"
   ],
   "summary": "Beego has Collision Hazards of MD5 in Cache Key Filenames",
   "details": "In the context of using MD5 to generate filenames for cache keys, there are significant collision hazards that need to be considered. MD5, or Message Digest Algorithm 5, is a widely known cryptographic hash function that produces a 128-bit hash value. However, MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks.\n\n### Understanding Collisions\nA collision in hashing occurs when two different inputs produce the same hash output. For MD5, this means that it is theoretically possible, and even practical, to find two distinct cache keys that result in the same MD5 hash. This vulnerability has been well-documented and exploited in various security contexts.\n\n### Implications for Cache Systems\nIn a cache system where filenames are derived from the MD5 hash of cache keys, a collision could lead to several critical issues:\n\nData Integrity Risks: If two different keys collide, they will map to the same filename. This could result in data being overwritten incorrectly, leading to data loss or corruption.\nSecurity Vulnerabilities: An attacker could potentially exploit collisions to manipulate cache data. For instance, by crafting a key that collides with another key, an attacker might gain unauthorized access to sensitive cached information or inject malicious data.\n\nUnpredictable Behavior: Collisions can cause the cache system to behave unpredictably, as it may retrieve or store data in unintended files, leading to system instability or incorrect behavior.\n\n### Mitigation Strategies\nTo mitigate these risks, consider the following strategies:\n\nUse a More Secure Hash Function: Replace MD5 with a more secure hash function like SHA-256, which has a significantly lower probability of collisions and is resistant to known attack vectors.\n\ncode at:https://github.com/beego/beego/blob/bb72dc27ac3970e51d38ee52fc3dc1465ae25b9d/client/cache/file.go#L126",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -54,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/beego/beego/security/advisories/GHSA-9j3m-fr7q-jxfw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55885"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/beego/beego/commit/e7fa4835f71f47ab1d13afd638cebf661800d5a4"
@@ -65,11 +74,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-327",
       "CWE-328"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-12T19:22:39Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2024-12-12T20:15:21Z"
   }
 }

advisories/github-reviewed/2024/12/GHSA-r279-47wg-chpr/GHSA-r279-47wg-chpr.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r279-47wg-chpr",
-  "modified": "2024-12-12T19:20:56Z",
+  "modified": "2024-12-12T22:33:16Z",
   "published": "2024-12-12T19:20:56Z",
   "aliases": [
     "CVE-2024-55879"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55879"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d"
@@ -79,6 +83,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-12T19:20:56Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2024-12-12T20:15:21Z"
   }
 }

advisories/github-reviewed/2024/12/GHSA-x6mh-rjwm-8ph7/GHSA-x6mh-rjwm-8ph7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x6mh-rjwm-8ph7",
-  "modified": "2024-12-12T19:22:53Z",
+  "modified": "2024-12-12T22:31:57Z",
   "published": "2024-12-12T19:22:53Z",
   "aliases": [
     "CVE-2024-55878"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/shuchkin/simplexlsx/security/advisories/GHSA-x6mh-rjwm-8ph7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55878"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/shuchkin/simplexlsx/commit/cb4e716259e83d18e89292a4f1b721f4d34e28c2"
@@ -56,6 +60,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-12T19:22:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2024-12-12T20:15:21Z"
   }
 }