Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1b475fe52ad1 · 2026-03-10T01:20:20.000Z
GHSA-9c4h-pwmf-m6fj GHSA-f7pm-6hr8-7ggm GHSA-xv8g-fj9h-6gmv
diff --git a/advisories/github-reviewed/2026/03/GHSA-9c4h-pwmf-m6fj/GHSA-9c4h-pwmf-m6fj.json b/advisories/github-reviewed/2026/03/GHSA-9c4h-pwmf-m6fj/GHSA-9c4h-pwmf-m6fj.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9c4h-pwmf-m6fj",
+  "modified": "2026-03-10T01:19:29Z",
+  "published": "2026-03-10T01:19:29Z",
+  "aliases": [
+    "CVE-2026-30960"
+  ],
+  "summary": "RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface",
+  "details": "## Impact\n\n**Vulnerability Type**: \nImproper Control of Generation of Code ('Code Injection') (CWE-94) / Improper Check for Unusual or Exceptional Conditions (CWE-754) / Improper Input Validation (CWE-20) / Use of Low-Level Functionality (CWE-695) / Improper Privilege Management (CWE-269) / External Control of System or Configuration Setting (CWE-15).\n\n**Technical Details**:\nThe vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the CFFI (Foreign Function Interface). Due to Improper Input Validation and External Control of Code Generation, an attacker can supply malicious parameters or instruction sequences through the CFFI layer. Since the library often operates with elevated privileges or within high-performance computing contexts, this allows for Arbitrary Code Execution (ACE) at the privilege level of the host process.\n\n## Who is Impacted?\n\n * Developers using the library as a dynamic linked library (.so, .dll, .dylib) in multi-language environments (e.g., Python, Node.js, C++).\n * Cloud Service Providers running the library in multi-tenant environments or automated model-training pipelines.\n * Users processing untrusted or third-party datasets/models that may trigger malicious JIT instruction generation.\nPatches\n * Affected versions: < 0.2.8\n * Patched version: 0.2.9\n\n## Workarounds\n\nIf you cannot upgrade immediately, please consider the following mitigations:\n * Strict Sandboxing: Run the library within a restricted sandbox (e.g., WebAssembly, Docker with non-root user, or seccomp profiles) to limit system call access.\n * Principle of Least Privilege: Ensure the process calling the library does not have administrative or root privileges.\n * Input Filtering: If possible, implement an application-level validation layer to sanitize any data passed to the CFFI interfaces.\n * Disable JIT (if applicable): If your workload allows, use the interpreter-only mode (if provided by the library) to bypass the JIT engine entirely.\nCVSS Score\n * Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\n * Base Score: 9.4 (Critical)\n\n## References\n\n[Apich Organization Security Team Homepage](https://security.apich.org/)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rssn"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Apich-Organization/rssn/security/advisories/GHSA-9c4h-pwmf-m6fj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Apich-Organization/rssn"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Apich-Organization/rssn/releases/tag/v0.2.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-15",
+      "CWE-20",
+      "CWE-269",
+      "CWE-695",
+      "CWE-754",
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:19:29Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-f7pm-6hr8-7ggm/GHSA-f7pm-6hr8-7ggm.json b/advisories/github-reviewed/2026/03/GHSA-f7pm-6hr8-7ggm/GHSA-f7pm-6hr8-7ggm.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f7pm-6hr8-7ggm",
+  "modified": "2026-03-10T01:19:46Z",
+  "published": "2026-03-10T01:19:46Z",
+  "aliases": [
+    "CVE-2026-30964"
+  ],
+  "summary": "Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation",
+  "details": "### Summary\nWhen `allowed_origins` is configured, `CheckAllowedOrigins` reduces URL-like values to their `host` and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.\n\n### Details\n`CheckAllowedOrigins` stores each configured allowed origin as:\n\n- `parse_url($allowedOrigin)['host'] ?? $allowedOrigin`\n\nand later reduces the received `clientDataJSON.origin` the same way:\n\n- `parse_url($C->origin)['host'] ?? $C->origin`\n\nIf the reduced value matches, the method returns early. As a result, for the normal `allowed_origins` path, the later HTTPS check is not reached.\n\nThis differs from WebAuthn Level 2, which requires verifying that `C.origin` matches the RP’s origin, separately from verifying that `authData.rpIdHash` matches the expected RP ID.\n\nCode:\n- [CheckAllowedOrigins.php](https://github.com/web-auth/webauthn-framework/blob/d58906e/src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php)\n- [CeremonyStepManagerFactoryCompilerPass.php](https://github.com/web-auth/webauthn-framework/blob/d58906e/src/symfony/src/DependencyInjection/Compiler/CeremonyStepManagerFactoryCompilerPass.php)\n\nSpec:\n\n- [WebAuthn Level 2 - §7.1 Registering a New Credential](https://www.w3.org/TR/webauthn-2/#sctn-registering-a-new-credential)\n- [WebAuthn Level 2 - §7.2 Verifying an Authentication Assertion](https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion)\n- [WebAuthn Level 2 - RP ID definition / origin constraints](https://www.w3.org/TR/webauthn-2/#relying-party-identifier)\n- [WebAuthn Level 2 - CollectedClientData.origin](https://www.w3.org/TR/webauthn-2/#dom-collectedclientdata-origin)\n\n### PoC\nConfiguration:\n\n```yaml\nwebauthn:\n  allowed_origins:\n    - https://login.example.com:8443\n  allow_subdomains: false\n````\n\nSend a registration or authentication response whose `clientDataJSON.origin` is:\n\n```text\nhttps://login.example.com:9443\n```\n\nObserved result:\nthe response is accepted by `CheckAllowedOrigins`, because both values are reduced to `login.example.com`.\n\nExpected result:\nthe response should be rejected, because `https://login.example.com:8443` and `https://login.example.com:9443` are different origins.\n\n### Impact\n\nThis is an origin validation error affecting deployments that use `allowed_origins`.\n\nIt bypasses the separate exact-origin check required by WebAuthn. The most practical browser-facing example is same-host / different-port origin confusion. In non-browser or custom clients, scheme confusion for URL-like entries may also be relevant.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "web-auth/webauthn-framework"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.2.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "web-auth/webauthn-lib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.2.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "web-auth/webauthn-symfony-bundle"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.2.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a254ad4a984e5e7839"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/web-auth/webauthn-framework"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-346"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:19:46Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-xv8g-fj9h-6gmv/GHSA-xv8g-fj9h-6gmv.json b/advisories/github-reviewed/2026/03/GHSA-xv8g-fj9h-6gmv/GHSA-xv8g-fj9h-6gmv.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xv8g-fj9h-6gmv",
+  "modified": "2026-03-10T01:18:20Z",
+  "published": "2026-03-10T01:18:20Z",
+  "aliases": [],
+  "summary": "Linkdave Missing Authentication on REST and WebSocket endpoints",
+  "details": "### Impact\nThe `linkdave` HTTP server does not enforce authentication on its REST and WebSocket routes. Because this server may be exposed to the internet, any unauthenticated remote attacker can connect to these endpoints.\n\n### Patches\n[1.2.5](https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01)\n\n### Workarounds\nIf upgrading is not immediately possible, users can mitigate this issue by:\n- Restricting network access to the server's port using a firewall so it is only accessible from trusted internal IP addresses.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/shi-gg/linkdave"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shi-gg/linkdave/security/advisories/GHSA-xv8g-fj9h-6gmv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shi-gg/linkdave"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:18:20Z",
+    "nvd_published_at": null
+  }
+}
