Skip to content

Commit 75bc03c

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-9mc5-7qhg-fp3w GHSA-3cx6-j9j4-54mp GHSA-wxrw-gvg8-fqjp
1 parent 7a89d29 commit 75bc03c

3 files changed

Lines changed: 24 additions & 4 deletions

File tree

advisories/github-reviewed/2025/03/GHSA-9mc5-7qhg-fp3w/GHSA-9mc5-7qhg-fp3w.json

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-9mc5-7qhg-fp3w",
4-
"modified": "2025-03-21T21:51:07Z",
4+
"modified": "2026-02-08T01:00:10Z",
55
"published": "2025-03-11T21:12:54Z",
66
"aliases": [
77
"CVE-2025-27591"
@@ -12,6 +12,10 @@
1212
{
1313
"type": "CVSS_V3",
1414
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
1519
}
1620
],
1721
"affected": [
@@ -56,10 +60,18 @@
5660
"type": "PACKAGE",
5761
"url": "https://github.com/facebookincubator/below"
5862
},
63+
{
64+
"type": "WEB",
65+
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0149.html"
66+
},
5967
{
6068
"type": "WEB",
6169
"url": "https://www.facebook.com/security/advisories/cve-2025-27591"
6270
},
71+
{
72+
"type": "WEB",
73+
"url": "https://www.openwall.com/lists/oss-security/2025/03/12/1"
74+
},
6375
{
6476
"type": "WEB",
6577
"url": "http://www.openwall.com/lists/oss-security/2025/03/12/1"

advisories/github-reviewed/2026/02/GHSA-3cx6-j9j4-54mp/GHSA-3cx6-j9j4-54mp.json

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-3cx6-j9j4-54mp",
4-
"modified": "2026-02-03T17:21:17Z",
4+
"modified": "2026-02-08T01:01:36Z",
55
"published": "2026-02-03T17:21:17Z",
66
"aliases": [
77
"CVE-2025-65017"
@@ -78,6 +78,14 @@
7878
{
7979
"type": "WEB",
8080
"url": "https://github.com/decidim/decidim/releases/tag/v0.31.0"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml"
8189
}
8290
],
8391
"database_specific": {

advisories/github-reviewed/2026/02/GHSA-wxrw-gvg8-fqjp/GHSA-wxrw-gvg8-fqjp.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-wxrw-gvg8-fqjp",
4-
"modified": "2026-02-06T22:52:00Z",
4+
"modified": "2026-02-08T00:59:55Z",
55
"published": "2026-02-06T22:52:00Z",
66
"aliases": [
77
"CVE-2026-25791"
88
],
99
"summary": "Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service",
10-
"details": "## Summary\nThe DNS C2 listener accepts unauthenticated `TOTP` bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when `EnforceOTP` is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.\n\n## Vulnerable Component\n- `server/c2/dns.go:84-90` (`EnforceOTP` stored but not enforced in bootstrap)\n- `server/c2/dns.go:378-390` (`TOTP` requests routed directly to bootstrap)\n- `server/c2/dns.go:490-521` (`handleHello` allocates session without OTP validation)\n- `server/c2/dns.go:495` (`sessions.Store` with no lifecycle control in this path)\n- `client/command/jobs/dns.go:46-52` (operator-facing `EnforceOTP` control implies auth gate)\n- `implant/sliver/transports/dnsclient/dnsclient.go:896-900` (`otpMsg` sends `TOTP` with `ID=0`)\n- `protobuf/dnspb/dns.proto:22` (documents TOTP in `ID` field)\n\n## Attack Vector\n- Network-accessible DNS listener\n- No authentication required\n- Low-complexity repeated DNS query loop\n- Trigger path: `DNSMessageType_TOTP` bootstrap handling\n\n## Proof of Concept\n### Preconditions\n- DNS listener is reachable\n- DNS C2 job is active\n\n### Reproduction Steps\n1. Send repeated DNS queries with a minimal protobuf message of type `TOTP`.\n2. Observe repeated session allocation/issuance behavior.\n3. Continue requests to increase active in-memory session state.\n\n### Example\n```bash\nwhile true; do\n dig +short @<DNS_C2_IP> baa8.<parent-domain> A >/dev/null\ndone\n```\n\n`baa8` is a base32 payload for a minimal TOTP-type protobuf message.\n\n### Observable Indicators\n- Repeated bootstrap/session-allocation log entries from `handleHello`\n- Rising memory usage in the Sliver server process\n- Service slowdown or instability under sustained request volume\n\n## Impact\n- Unauthenticated remote denial of service (availability)\n- Resource exhaustion through unbounded session growth in DNS bootstrap path",
10+
"details": "## Summary\nThe DNS C2 listener accepts unauthenticated `TOTP` bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when `EnforceOTP` is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.\n\n## Vulnerable Component\n- `server/c2/dns.go:84-90` (`EnforceOTP` stored but not enforced in bootstrap)\n- `server/c2/dns.go:378-390` (`TOTP` requests routed directly to bootstrap)\n- `server/c2/dns.go:490-521` (`handleHello` allocates session without OTP validation)\n- `server/c2/dns.go:495` (`sessions.Store` with no lifecycle control in this path)\n- `client/command/jobs/dns.go:46-52` (operator-facing `EnforceOTP` control implies auth gate)\n- `implant/sliver/transports/dnsclient/dnsclient.go:896-900` (`otpMsg` sends `TOTP` with `ID=0`)\n- `protobuf/dnspb/dns.proto:22` (documents TOTP in `ID` field)\n\n## Attack Vector\n- Network-accessible DNS listener\n- No authentication required\n- Low-complexity repeated DNS query loop\n- Trigger path: `DNSMessageType_TOTP` bootstrap handling\n\n## Proof of Concept\n### Preconditions\n- DNS listener is reachable\n- DNS C2 job is active\n\n### Reproduction Steps\n1. Send repeated DNS queries with a minimal protobuf message of type `TOTP`.\n2. Observe repeated session allocation/issuance behavior.\n3. Continue requests to increase active in-memory session state.\n\n### Example\n```bash\nwhile true; do\n dig +short @<DNS_C2_IP> baa8.<parent-domain> A >/dev/null\ndone\n```\n\n`baa8` is a base32 payload for a minimal TOTP-type protobuf message.\n\n### Observable Indicators\n- Repeated bootstrap/session-allocation log entries from `handleHello`\n- Rising memory usage in the Sliver server process\n- Service slowdown or instability under sustained request volume\n\n## Impact\n- Unauthenticated remote denial of service (availability)\n- Resource exhaustion through unbounded session growth in DNS bootstrap path\n- Estimated CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (**7.5 High**)",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",

0 commit comments

Comments
 (0)