Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2ba26f762ddd · 2026-03-11T00:10:38.000Z
GHSA-364q-w7vh-vhpc GHSA-6w48-2g9j-v9q5 GHSA-6xvm-j4wr-6v98 GHSA-74cf-pgh9-m5q2 GHSA-6w48-2g9j-v9q5 GHSA-74cf-pgh9-m5q2
diff --git a/advisories/github-reviewed/2026/03/GHSA-364q-w7vh-vhpc/GHSA-364q-w7vh-vhpc.json b/advisories/github-reviewed/2026/03/GHSA-364q-w7vh-vhpc/GHSA-364q-w7vh-vhpc.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-364q-w7vh-vhpc",
+  "modified": "2026-03-11T00:09:41Z",
+  "published": "2026-03-11T00:09:41Z",
+  "aliases": [
+    "CVE-2026-31817"
+  ],
+  "summary": "OliveTin's unsafe parsing of UniqueTrackingId can be used to write files",
+  "details": "When the `saveLogs` feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied `UniqueTrackingId` field in the `StartAction` API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., `../../../`) to write files to arbitrary locations on the filesystem.\n### Affected Code\n\n**Entry point — `service/internal/api/api.go` (line 130):**\n\nThe `UniqueTrackingId` from the API request is passed directly to the executor without validation:\n\n```go\nexecReq := executor.ExecutionRequest{\n    Binding:    pair,\n    TrackingID: req.Msg.UniqueTrackingId, // user-controlled, no validation\n    // ...\n}\n```\n\n**Tracking ID accepted as-is — `service/internal/executor/executor.go` (lines 508–512):**\n\nThe tracking ID is only replaced with a UUID if it is empty or a duplicate. Any other string, including one containing path separators, is accepted:\n\n```go\n_, isDuplicate := e.GetLog(req.TrackingID)\n\nif isDuplicate || req.TrackingID == \"\" {\n    req.TrackingID = uuid.NewString()\n}\n```\n\n**Filename construction — `service/internal/executor/executor.go` (line 1042):**\n\nThe tracking ID is interpolated directly into the log filename:\n\n```go\nfilename := fmt.Sprintf(\"%v.%v.%v\",\n    req.logEntry.ActionTitle,\n    req.logEntry.DatetimeStarted.Unix(),\n    req.logEntry.ExecutionTrackingID,\n)\n```\n\n**File write — `service/internal/executor/executor.go` (lines 1068–1069 and 1082–1083):**\n\nThe filename is joined to the configured log directory using `path.Join`, which calls `path.Clean` internally. `path.Clean` resolves `..` path segments, causing the final file path to escape the intended directory:\n\n```go\n// Results file (.yaml)\nfilepath := path.Join(dir, filename+\".yaml\")\nerr = os.WriteFile(filepath, data, 0600)\n\n// Output file (.log)\nfilepath := path.Join(dir, filename+\".log\")\nerr := os.WriteFile(filepath, []byte(data), 0600)\n```\n\n### Proof of Concept\n\nAn attacker sends the following `StartAction` request (Connect RPC or REST):\n\n```json\n{\n  \"bindingId\": \"<any-executable-action-id>\",\n  \"uniqueTrackingId\": \"../../../tmp/pwned\"\n}\n```\n\nAssuming the action title is `Ping the Internet` and the timestamp is `1741320000`, the constructed filename becomes:\n\n```\nPing the Internet.1741320000.../../../tmp/pwned\n```\n\nWhen `path.Join` processes this with a configured results directory like `/var/olivetin/logs`:\n\n```\npath.Join(\"/var/olivetin/logs\", \"Ping the Internet.1741320000.../../../tmp/pwned.yaml\")\n```\n\n`path.Clean` resolves the traversal:\n\n1. Path segments: `[\"var\", \"olivetin\", \"logs\", \"Ping the Internet.1741320000...\", \"..\", \"..\", \"..\", \"tmp\", \"pwned.yaml\"]`\n2. The `..` segments traverse upward past the log directory.\n3. Final resolved path: `/tmp/pwned.yaml`\n\nTwo files are written:\n\n- **`.yaml` file** — contains YAML-serialized `InternalLogEntry` (action title, icon, timestamps, exit code, output, tags, username, tracking ID)\n- **`.log` file** — contains the raw command output (potentially attacker-influenced if the action echoes its arguments)\n\n### Impact\n\n- **Arbitrary file write** to any path writable by the OliveTin process.\n- OliveTin frequently runs as root inside Docker containers, so the writable scope is often the entire filesystem.\n- An attacker could:\n  - Overwrite OliveTin's own `sessions.yaml` to inject authenticated sessions.\n  - Write to entity file directories to inject malicious entity data.\n  - Write to system cron directories or other locations to achieve remote code execution.\n  - Cause denial of service by overwriting critical system files.\n\n### Suggested Fix\n\nValidate the `UniqueTrackingId` to ensure it only contains safe characters before use. A strict UUID format check is the simplest approach:\n\n```go\nimport \"regexp\"\n\nvar validTrackingID = regexp.MustCompile(`^[a-fA-F0-9\\-]+$`)\n\n// In ExecRequest, before accepting the user-supplied ID:\nif req.TrackingID == \"\" || !validTrackingID.MatchString(req.TrackingID) {\n    req.TrackingID = uuid.NewString()\n}\n```\n\nAlternatively, sanitize the filename in `stepSaveLog` by stripping or rejecting path separators and `..` sequences.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/OliveTin/OliveTin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260309102040-b03af0e2eca3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/commit/2f77000de44f65690f257e3cf8e2c8462b0e74c7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:09:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-6w48-2g9j-v9q5/GHSA-6w48-2g9j-v9q5.json b/advisories/github-reviewed/2026/03/GHSA-6w48-2g9j-v9q5/GHSA-6w48-2g9j-v9q5.json
@@ -0,0 +1,105 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6w48-2g9j-v9q5",
+  "modified": "2026-03-11T00:08:54Z",
+  "published": "2026-03-09T09:30:31Z",
+  "aliases": [
+    "CVE-2026-24713"
+  ],
+  "summary": "Apache IoTDB has an Improper Input Validation vulnerability",
+  "details": "Improper Input Validation vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.iotdb:iotdb-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.3.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.iotdb:iotdb-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.0.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24713"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/commit/8fbfddc5f83771f1b339c457de597fe877f686d2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/iotdb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/compare/v1.3.6...v1.3.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/compare/v2.0.6...v2.0.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/releases/tag/v1.3.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/releases/tag/v2.0.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/09/4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-917"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:08:54Z",
+    "nvd_published_at": "2026-03-09T09:16:02Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-6xvm-j4wr-6v98/GHSA-6xvm-j4wr-6v98.json b/advisories/github-reviewed/2026/03/GHSA-6xvm-j4wr-6v98/GHSA-6xvm-j4wr-6v98.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xvm-j4wr-6v98",
+  "modified": "2026-03-11T00:09:19Z",
+  "published": "2026-03-11T00:09:19Z",
+  "aliases": [
+    "CVE-2026-31812"
+  ],
+  "summary": "Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing",
+  "details": "### Summary\nA remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable `quinn` versions by sending a crafted QUIC Initial packet containing malformed `quic_transport_parameters`. `In quinn-proto` parsing logic, attacker-controlled varints are decoded with `unwrap()`, so truncated encodings cause `Err(UnexpectedEnd)` and `panic`. This is reachable over the network with a single packet and no prior trust or authentication.\n\n### Details\nThe issue is panic-on-untrusted-input in QUIC transport parameter parsing.\nIn `quinn-proto` (observed in `quinn-proto 0.11.13`), parsing of some transport parameters uses a fallible varint decode followed by `unwrap()`. For malformed/truncated parameter values, decode returns `UnexpectedEnd`, and `unwrap()` panics.\n\n#### Observed output:\n```\nthread 'tokio-rt-worker' (2366474) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n### PoC\n#### Reproduces against the upstream Quinn server example.\n1. Start server:\n```\ncargo run --example server -- ./\n```\n2. Prepare PoC client environment:\n```\npython3 -m venv .venv\nsource .venv/bin/activate\npip install aioquic\n```\n3. Run PoC script [attack.py](https://github.com/user-attachments/files/25741713/attack.py) against server QUIC listener (default example target shown):\n```\npython attack.py\n```\n#### Observed output\n```\nthread 'tokio-rt-worker' (2366903) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n\n\n### Impact\nVulnerability type: Remote Denial of Service (panic/crash)\nAttack requirements:  Network reachability to UDP QUIC listener\nAuthentication/privileges: None\nWho is impacted: Any server/application using affected `quinn/quinn-proto` versions where this parse path is reachable; process-level impact depends on integration panic handling policy\n\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "quinn-proto"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/quinn-rs/quinn/pull/2559"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/quinn-rs/quinn"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0037.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-248"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:09:19Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-74cf-pgh9-m5q2/GHSA-74cf-pgh9-m5q2.json b/advisories/github-reviewed/2026/03/GHSA-74cf-pgh9-m5q2/GHSA-74cf-pgh9-m5q2.json
@@ -0,0 +1,100 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-74cf-pgh9-m5q2",
+  "modified": "2026-03-11T00:08:44Z",
+  "published": "2026-03-09T09:30:31Z",
+  "aliases": [
+    "CVE-2026-24015"
+  ],
+  "summary": "Apache IoTDB has an Insecure Default Configuration Vulnerability",
+  "details": "A vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.\n\nUsers are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.iotdb:iotdb-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.3.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.iotdb:iotdb-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.0.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24015"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/iotdb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/compare/v1.3.6...v1.3.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/compare/v2.0.6...v2.0.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/releases/tag/v1.3.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/iotdb/releases/tag/v2.0.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/j769ywdqm46zl3oz5lbffsldklg0ow7p"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/09/5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1327"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:08:44Z",
+    "nvd_published_at": "2026-03-09T09:16:02Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-6w48-2g9j-v9q5/GHSA-6w48-2g9j-v9q5.json b/advisories/unreviewed/2026/03/GHSA-6w48-2g9j-v9q5/GHSA-6w48-2g9j-v9q5.json
diff --git a/advisories/unreviewed/2026/03/GHSA-74cf-pgh9-m5q2/GHSA-74cf-pgh9-m5q2.json b/advisories/unreviewed/2026/03/GHSA-74cf-pgh9-m5q2/GHSA-74cf-pgh9-m5q2.json
