Skip to content

Commit 480e0e3

Browse files
1 parent e174d4a commit 480e0e3

2 files changed

Lines changed: 141 additions & 0 deletions

File tree

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-g4w6-vmgf-xqvx",
4+
"modified": "2026-06-30T18:09:13Z",
5+
"published": "2026-06-30T18:09:13Z",
6+
"aliases": [
7+
"CVE-2026-49473"
8+
],
9+
"summary": "@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation",
10+
"details": "### Summary\n@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.\n\n### Impact\nThe middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.\n\nWhen an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.\n\n### Impacted versions\n<= 0.2.0\n\n### Patches\nThis issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\nValidate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.\n\n### References\nIf you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@cedar-policy/authorization-for-expressjs"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.3.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.2.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/cedar-policy/authorization-for-expressjs/security/advisories/GHSA-g4w6-vmgf-xqvx"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/cedar-policy/authorization-for-expressjs"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/cedar-policy/authorization-for-expressjs/releases/tag/v0.3.0"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-436",
58+
"CWE-863"
59+
],
60+
"severity": "HIGH",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-30T18:09:13Z",
63+
"nvd_published_at": null
64+
}
65+
}
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qqw8-7c2r-jxch",
4+
"modified": "2026-06-30T18:10:28Z",
5+
"published": "2026-06-30T18:10:28Z",
6+
"aliases": [
7+
"CVE-2026-48791"
8+
],
9+
"summary": "Sigstore Java has a vulnerability with bundle verification of integratedTime",
10+
"details": "### Summary\nRegression: Verification of `integratedTime` from Rekor V1 Log Entry against Fuclio Certificate validity was missing\n\n### Details\n- PR [#1008](https://github.com/sigstore/sigstore-java/pull/1008) erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate. \n- PR [#1185](https://github.com/sigstore/sigstore-java/pull/1185) re-added this verification with enhancements that adhere to the Sigstore verification spec.\n- old sigstore-conformance test for this check was built incorrectly\n\n### PoC\nA new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing\nVerify this [bundle](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/bundle-verify/integrated-time-in-future_fail/bundle.sigstore.json) against [`a.txt`](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/a.txt)\n\n```\n$ git clone git@github.com:sigstore/sigstore-java\n$ git checkout v2.0.0\n$ ./gradlew :sigstore-cli:build\n$ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1\n$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt\n# expect error but none\n```\n\n### Impact\nThis vulnerability impacts only users verifying bundles with `dev.sigstore:sigstore-java:2.0.0`. Older versions are not affected, it is fixed in `dev.sigstore:sigstore-java:2.1.0`\n\nA malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.\n\nUsers may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "dev.sigstore:sigstore-java"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "2.0.0"
29+
},
30+
{
31+
"fixed": "2.1.0"
32+
}
33+
]
34+
}
35+
],
36+
"versions": [
37+
"2.0.0"
38+
]
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-qqw8-7c2r-jxch"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/sigstore/sigstore-java/pull/1008"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/sigstore/sigstore-java/pull/1185"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/sigstore/sigstore-java/commit/4b7a49ebb1813f5b1ff113bcad63246358222d61"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/sigstore/sigstore-java/commit/b529335728fc5cfb574161b4b3c06859a8a2aa88"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/sigstore/sigstore-java"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-347"
70+
],
71+
"severity": "LOW",
72+
"github_reviewed": true,
73+
"github_reviewed_at": "2026-06-30T18:10:28Z",
74+
"nvd_published_at": null
75+
}
76+
}

0 commit comments

Comments
 (0)