Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e841a330d2fd · 2023-10-19T20:02:49.000Z
GHSA-2c28-m2m7-mf55 GHSA-hmgw-9jrg-hf2m GHSA-w4m2-qmh3-2g8f
diff --git a/advisories/github-reviewed/2023/10/GHSA-2c28-m2m7-mf55/GHSA-2c28-m2m7-mf55.json b/advisories/github-reviewed/2023/10/GHSA-2c28-m2m7-mf55/GHSA-2c28-m2m7-mf55.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2c28-m2m7-mf55",
-  "modified": "2023-10-16T00:30:26Z",
+  "modified": "2023-10-19T20:01:32Z",
   "published": "2023-10-16T00:30:26Z",
   "aliases": [
     "CVE-2023-5588"
   ],
+  "summary": "Pleroma Path Traversal vulnerability",
   "details": "A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is told to be difficult. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 2c795094535537a8607cc0d3b7f076a609636f40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-242187.",
   "severity": [
     {
@@ -14,7 +15,30 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Hex",
+        "name": "pleroma"
+      },
+      "ecosystem_specific": {
+        "affected_functions": [
+          ""
+        ]
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.5.3"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -29,6 +53,14 @@
       "type": "WEB",
       "url": "https://github.com/kphrx/pleroma/commit/2c795094535537a8607cc0d3b7f076a609636f40"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kphrx/pleroma/"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kphrx/pleroma/commits/v2.5.3"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.242187"
@@ -43,8 +75,8 @@
       "CWE-22"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2023-10-19T20:01:32Z",
     "nvd_published_at": null
   }
 }
diff --git a/advisories/github-reviewed/2023/10/GHSA-hmgw-9jrg-hf2m/GHSA-hmgw-9jrg-hf2m.json b/advisories/github-reviewed/2023/10/GHSA-hmgw-9jrg-hf2m/GHSA-hmgw-9jrg-hf2m.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hmgw-9jrg-hf2m",
+  "modified": "2023-10-19T20:02:04Z",
+  "published": "2023-10-19T20:02:04Z",
+  "aliases": [
+    "CVE-2023-45820"
+  ],
+  "summary": "Directus crashes on invalid WebSocket message",
+  "details": "### Summary\nIt seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix (if only I had some extra time...), but I decided to instead post as a vulnerability just for the maintainers, since this seemingly can be used to crash any live Directus server if websockets are enabled, so public disclosure is not a good idea until the issue is fixed.\n\n### Details\nThe fix for this seems quite simple; the websocket server just needs to properly catch the error instead of crashing the server. See for example: https://github.com/websockets/ws/issues/2098\n\n### PoC\n- Start a fresh Directus server (using for example the compose file here: https://docs.directus.io/self-hosted/docker-guide.html). Enable websockets by setting `WEBSOCKETS_ENABLED: 'true'` environment variable.\n- run a separate node app somewhere else to send an invalid frame to the server:\n\n```\nconst WebSocket = require(\"ws\");\nconst websocket = new WebSocket(\"ws://0.0.0.0:8055/websocket\");\nwebsocket.on(\"open\", function () {\n  const chunk = Buffer.from(\"a180\", \"hex\");\n  websocket._socket.write(chunk);\n});\n```\n\n### Impact\nThe server crashes with an error: `RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear`. Server needs to be manually restarted to get back online (if there's no recovery mechanism in place, as there often isn't with simple node servers). This was confirmed on a local server, and additionally I was able to crash our staging server with the same code, just pointing to our staging Directus server running at fly.io. It seems to also crash servers running in the [directus.cloud](https://directus.cloud) service. I created https://websocket-test.directus.app/, pointed the above script to the websocket url of that instance and the server does crash for a while. It seems that in there there's a mechanism for bringing the server back up quite fast, but it would be quite trivial for anyone to DoS any server running in directus.cloud by just spamming these invalid frames to the server. ",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ecosystem_specific": {
+        "affected_functions": [
+          ""
+        ]
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.4.0"
+            },
+            {
+              "fixed": "10.6.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-hmgw-9jrg-hf2m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/commit/243eed781b42d6b4948ddb8c3792bcf5b44f55bb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/releases/tag/v10.6.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2023-10-19T20:02:04Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2023/10/GHSA-w4m2-qmh3-2g8f/GHSA-w4m2-qmh3-2g8f.json b/advisories/github-reviewed/2023/10/GHSA-w4m2-qmh3-2g8f/GHSA-w4m2-qmh3-2g8f.json
@@ -1,23 +1,51 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w4m2-qmh3-2g8f",
-  "modified": "2023-10-19T18:30:30Z",
+  "modified": "2023-10-19T20:02:23Z",
   "published": "2023-10-19T18:30:30Z",
   "aliases": [
     "CVE-2023-45277"
   ],
+  "summary": "Yamcs Path Traversal vulnerability",
   "details": "Yamcs 5.8.6 is vulnerable to directory traversal (issue 1 of 2). The vulnerability is in the storage functionality of the API and allows one to escape the base directory of the buckets, freely navigate system directories, and read arbitrary files.",
   "severity": [
 
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.yamcs:yamcs"
+      },
+      "ecosystem_specific": {
+        "affected_functions": [
+          ""
+        ]
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.8.7"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45277"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/yamcs/yamcs"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7"
@@ -29,11 +57,11 @@
   ],
   "database_specific": {
     "cwe_ids": [
-
+      "CWE-22"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2023-10-19T20:02:23Z",
     "nvd_published_at": null
   }
 }
