-
Notifications
You must be signed in to change notification settings - Fork 346
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d988ee7
commit 82a9c26
Showing
2 changed files
with
175 additions
and
0 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
advisories/github-reviewed/2024/12/GHSA-vfm5-rmrh-j26v/GHSA-vfm5-rmrh-j26v.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-vfm5-rmrh-j26v", | ||
| "modified": "2024-12-10T22:42:27Z", | ||
| "published": "2024-12-10T22:42:27Z", | ||
| "aliases": [ | ||
| "CVE-2024-54133" | ||
| ], | ||
| "summary": "Possible Content Security Policy bypass in Action Dispatch", | ||
| "details": "There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack.\n\nImpact\n------\nApplications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nApplications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.\n\nCredits\n-------\nThanks to [ryotak](https://hackerone.com/ryotak) for the report!\n", | ||
| "severity": [], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "5.2.0" | ||
| }, | ||
| { | ||
| "fixed": "7.0.8.7" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.1.0" | ||
| }, | ||
| { | ||
| "fixed": "7.1.5.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "7.2.0" | ||
| }, | ||
| { | ||
| "fixed": "7.2.2.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "RubyGems", | ||
| "name": "actionpack" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "8.0.0" | ||
| }, | ||
| { | ||
| "fixed": "8.0.0.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/rails/rails" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "LOW", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-10T22:42:27Z", | ||
| "nvd_published_at": null | ||
| } | ||
| } |
66 changes: 66 additions & 0 deletions
66
advisories/github-reviewed/2024/12/GHSA-vm32-9rqf-rh3r/GHSA-vm32-9rqf-rh3r.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-vm32-9rqf-rh3r", | ||
| "modified": "2024-12-10T22:42:41Z", | ||
| "published": "2024-12-10T22:42:41Z", | ||
| "aliases": [ | ||
| "CVE-2024-53866" | ||
| ], | ||
| "summary": "pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion", | ||
| "details": "### Summary\n\npnpm seems to mishandle overrides and global cache:\n1. Overrides from one workspace leak into npm metadata saved in global cache\n2. npm metadata from global cache affects other workspaces\n3. installs by default don't revalidate the data (including on first lockfile generation)\n\nThis can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B\n\nUsers generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).\n\nHere, that expectation is broken\n\n### Details\n\nSee PoC.\n\nIn it, overrides from a single run of A get leaked into e.g. `~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json` and persistently affect all other projects using the cache\n\n### PoC\n\nPostinstall code used in PoC is benign and can be inspected in <https://www.npmjs.com/package/ponyhooves?activeTab=code>, it's just a `console.log`\n\n1. Remove store and cache\n On mac: `rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store`\n This step is not required in general, but we'll be using a popular package for PoC that's likely cached\n2. Create `A/package.json`:\n ```json\n {\n \"name\": \"A\",\n \"pnpm\": { \"overrides\": { \"rimraf>glob\": \"npm:ponyhooves@1\" } },\n \"dependencies\": { \"rimraf\": \"6.0.1\" }\n }\n ```\n Install it with `pnpm i --ignore-scripts` (the flag is not required, but the point of the demo is to show that it doesn't help)\n4. Create `B/package.json`:\n ```json\n {\n \"name\": \"B\",\n \"dependencies\": { \"rimraf\": \"6.0.1\" }\n }\n ```\n Install it with `pnpm i`\n\nResult:\n```console\nPackages: +3\n+++\nProgress: resolved 3, reused 3, downloaded 0, added 3, done\nnode_modules/.pnpm/[email protected]/node_modules/ponyhooves: Running postinstall script, done in 51ms\n\ndependencies:\n+ rimraf 6.0.1\n\nDone in 1.4s\n```\n\nAlso, that code got leaked into another project and it's lockfile now! \n\n### Impact\n\nGlobal state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs\n\nAs a work-around, use separate cache and store dirs in each workspace\n", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "pnpm" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "9.15.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53866" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/pnpm/pnpm" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-346", | ||
| "CWE-426" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-10T22:42:41Z", | ||
| "nvd_published_at": "2024-12-10T18:15:42Z" | ||
| } | ||
| } |