Publish Advisories

GHSA-qvf5-hvjx-wm27 GHSA-xcpr-7mr4-h4xq GHSA-rhx6-c78j-4q9w GHSA-6729-95v3-pjc2 GHSA-8c3x-hq82-gjcm
2025-01-24 21:42:04 +00:00 · 2025-01-24 21:42:04 +00:00 · 3376d88c29
--- a/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json
+++ b/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json
@ -1,7 +1,7 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-qvf5-hvjx-wm27",
-  "modified": "2024-11-18T21:03:05Z",
+  "modified": "2025-01-24T21:41:11Z",
  "published": "2024-11-18T12:30:43Z",
  "aliases": [
    "CVE-2024-52317"
@ -154,6 +154,14 @@
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0004"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/18/3"
    }
  ],
  "database_specific": {
--- a/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
+++ b/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
@ -1,7 +1,7 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-xcpr-7mr4-h4xq",
-  "modified": "2024-11-18T23:48:03Z",
+  "modified": "2025-01-24T21:41:16Z",
  "published": "2024-11-18T12:30:43Z",
  "aliases": [
    "CVE-2024-52316"
@ -100,6 +100,14 @@
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0003"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/18/2"
    }
  ],
  "database_specific": {
--- a/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json
+++ b/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json
@ -1,14 +1,19 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-rhx6-c78j-4q9w",
-  "modified": "2024-12-06T00:33:27Z",
+  "modified": "2025-01-24T21:41:07Z",
  "published": "2024-12-05T22:40:47Z",
  "aliases": [
    "CVE-2024-52798"
  ],
  "summary": "Unpatched `path-to-regexp` ReDoS in 0.1.x",
  "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
  "affected": [
    {
      "package": {
@ -50,13 +55,17 @@
    {
      "type": "PACKAGE",
      "url": "https://github.com/pillarjs/path-to-regexp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0002"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T22:40:47Z",
    "nvd_published_at": "2024-12-05T23:15:06Z"
--- a/advisories/github-reviewed/2025/01/GHSA-6729-95v3-pjc2/GHSA-6729-95v3-pjc2.json
+++ b/advisories/github-reviewed/2025/01/GHSA-6729-95v3-pjc2/GHSA-6729-95v3-pjc2.json
@ -1,7 +1,7 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-6729-95v3-pjc2",
-  "modified": "2025-01-24T20:40:15Z",
+  "modified": "2025-01-24T21:40:43Z",
  "published": "2025-01-24T20:40:15Z",
  "aliases": [
    "CVE-2025-24363"
@ -59,16 +59,30 @@
      "type": "WEB",
      "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2"
    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24363"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7"
+    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HL7/fhir-ig-publisher"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9"
    }
  ],
  "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-200"
+    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-24T20:40:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-01-24T19:15:13Z"
  }
 }
--- a/advisories/github-reviewed/2025/01/GHSA-8c3x-hq82-gjcm/GHSA-8c3x-hq82-gjcm.json
+++ b/advisories/github-reviewed/2025/01/GHSA-8c3x-hq82-gjcm/GHSA-8c3x-hq82-gjcm.json
@ -1,14 +1,19 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-8c3x-hq82-gjcm",
-  "modified": "2025-01-24T18:33:29Z",
+  "modified": "2025-01-24T21:40:45Z",
  "published": "2025-01-24T18:33:29Z",
  "aliases": [
    "CVE-2024-52807"
  ],
  "summary": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher`",
  "details": "### Impact\nXSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML.\n\nA previous release provided an incomplete solution revealed by new testing. \n\n### Patches\nThis issue has been patched as of version 1.7.4\n\n### Workarounds\nNone\n\n### References\n[Previous Advisory for Incomplete solution](https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5)\n[MITRE CWE](https://cwe.mitre.org/data/definitions/611.html)\n[OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
  "affected": [
    {
      "package": {
@ -58,9 +63,17 @@
      "type": "WEB",
      "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm"
    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52807"
+    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HL7/fhir-ig-publisher"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4"
    }
  ],
  "database_specific": {
@ -70,6 +83,6 @@
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-24T18:33:29Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-01-24T19:15:12Z"
  }
 }