Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 051ba6c67a7b · 2025-12-01T19:01:08.000Z
GHSA-38pp-6gcp-rqvm GHSA-53gx-j3p6-2rw9 GHSA-pj86-cfqh-vqx6
diff --git a/advisories/github-reviewed/2025/12/GHSA-38pp-6gcp-rqvm/GHSA-38pp-6gcp-rqvm.json b/advisories/github-reviewed/2025/12/GHSA-38pp-6gcp-rqvm/GHSA-38pp-6gcp-rqvm.json
@@ -0,0 +1,115 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38pp-6gcp-rqvm",
+  "modified": "2025-12-01T18:59:54Z",
+  "published": "2025-12-01T18:59:54Z",
+  "aliases": [
+    "CVE-2025-64715"
+  ],
+  "summary": "Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic",
+  "details": "### Impact\n\n`CiliumNetworkPolicy`s which use `egress.toGroups.aws.securityGroupsIds` to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended.\n\n### Patches\n\nThis issue has been patched in:\n\n* Cilium v1.18.4\n* Cilium v1.17.10\n* Cilium v1.16.17\n\n### This issue affects:\n\n- Cilium v1.18 between v1.18.0 and v1.18.3 inclusive\n- Cilium v1.17 between v1.17.0 and v1.17.9 inclusive\n- Cilium v1.16.16 and below\n\n### Workarounds\n\nThere is no workaround to this issue.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @SeanEmac   for reporting this issue and to @fristonio for the patch.\n\n### For more information\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/cilium/cilium"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.18.0"
+            },
+            {
+              "fixed": "1.18.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "Ciliumgithub.com/cilium/cilium"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.17.0"
+            },
+            {
+              "fixed": "1.17.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/cilium/cilium"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.16.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64715"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cilium/cilium"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/releases/tag/v1.16.17"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/releases/tag/v1.17.10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cilium/cilium/releases/tag/v1.18.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-01T18:59:54Z",
+    "nvd_published_at": "2025-11-29T01:16:01Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-53gx-j3p6-2rw9/GHSA-53gx-j3p6-2rw9.json b/advisories/github-reviewed/2025/12/GHSA-53gx-j3p6-2rw9/GHSA-53gx-j3p6-2rw9.json
@@ -0,0 +1,111 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53gx-j3p6-2rw9",
+  "modified": "2025-12-01T18:59:29Z",
+  "published": "2025-12-01T18:59:29Z",
+  "aliases": [
+    "CVE-2025-55749"
+  ],
+  "summary": "XWiki Jetty Package (XJetty) allows accessing any application file through URL",
+  "details": "### Impact\n\nIn an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder.\n\nIt allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg, http://myhots/webapps/xwiki/WEB-INF/xwiki.properties or http://myhots/webapps/xwiki/WEB-INF/hibernate.cfg.xml.\n\n### Patches\n\nThis has been patched in 16.10.11, 17.4.4, 17.7.0.\n\n### Workarounds\n\nThe workaround is to modify the start_xwiki.sh script following https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nVulnerability reported by Joseph Huber.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.xwiki.platform:xwiki-platform-tool-jetty-resources"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "16.7.0"
+            },
+            {
+              "fixed": "16.10.11"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.xwiki.platform:xwiki-platform-tool-jetty-resources"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "17.0.0-rc-1"
+            },
+            {
+              "fixed": "17.4.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.xwiki.platform:xwiki-platform-tool-jetty-resources"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "17.5.0"
+            },
+            {
+              "fixed": "17.7.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/xwiki/xwiki-platform"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jira.xwiki.org/browse/XWIKI-23438"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-01T18:59:29Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-pj86-cfqh-vqx6/GHSA-pj86-cfqh-vqx6.json b/advisories/github-reviewed/2025/12/GHSA-pj86-cfqh-vqx6/GHSA-pj86-cfqh-vqx6.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pj86-cfqh-vqx6",
+  "modified": "2025-12-01T18:59:18Z",
+  "published": "2025-12-01T18:59:17Z",
+  "aliases": [
+    "CVE-2024-51999"
+  ],
+  "summary": "express improperly controls modification of query properties",
+  "details": "### Impact\n\nwhen using the extended query parser in express (`'query parser': 'extended'`), the `request.query` object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names\n\n> [!IMPORTANT]  \n> the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser\n\n### Patches\n\nthe issue has been patched to ensure `request.query` is a plain object so `request.query` no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser\n\n### Workaround\n\nthis only impacts users using extended query parsing (`'query parser': 'extended'`), which is the default in express 4, but not express 5.  all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:\n\n#### provide `qs` directly and specify `plainObjects: true`\n\n```js\napp.set('query parser',\n  function (str) {\n    return qs.parse(str, {\n      plainObjects: true\n  });\n});\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "express"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.22.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "express"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/expressjs/express/commit/2f64f68c37c64ae333e41ff38032d21860f22255"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/expressjs/express"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/expressjs/express/releases/tag/4.22.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/expressjs/express/releases/tag/v5.2.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-915"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-01T18:59:17Z",
+    "nvd_published_at": null
+  }
+}
