Skip to content

Commit 1a6f078

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-qj5r-2r5p-phc7 GHSA-4vr7-g93g-cf6m GHSA-hf6h-9wq7-hmjg GHSA-j424-mc44-f4hj GHSA-m4j5-5x4r-2xp9 GHSA-mcvp-rpgg-9273 GHSA-4vr7-g93g-cf6m GHSA-hf6h-9wq7-hmjg GHSA-j424-mc44-f4hj
1 parent 8e405c6 commit 1a6f078

File tree

9 files changed

+362
-138
lines changed

9 files changed

+362
-138
lines changed

advisories/github-reviewed/2025/08/GHSA-qj5r-2r5p-phc7/GHSA-qj5r-2r5p-phc7.json

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-qj5r-2r5p-phc7",
4-
"modified": "2025-09-04T15:30:27Z",
4+
"modified": "2025-09-17T20:23:58Z",
55
"published": "2025-08-06T18:31:21Z",
6-
"aliases": [
7-
"CVE-2025-8419"
8-
],
9-
"summary": "Keycloak-services SMTP Inject Vulnerability",
10-
"details": "A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.",
6+
"withdrawn": "2025-09-17T20:23:58Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.",
1110
"severity": [
1211
{
1312
"type": "CVSS_V3",

advisories/github-reviewed/2025/09/GHSA-4vr7-g93g-cf6m/GHSA-4vr7-g93g-cf6m.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4vr7-g93g-cf6m",
4+
"modified": "2025-09-17T20:24:21Z",
5+
"published": "2025-09-17T12:30:57Z",
6+
"withdrawn": "2025-09-17T20:24:21Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [
17+
{
18+
"package": {
19+
"ecosystem": "PyPI",
20+
"name": "picklescan"
21+
},
22+
"ranges": [
23+
{
24+
"type": "ECOSYSTEM",
25+
"events": [
26+
{
27+
"introduced": "0"
28+
},
29+
{
30+
"fixed": "0.0.31"
31+
}
32+
]
33+
}
34+
]
35+
}
36+
],
37+
"references": [
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg"
41+
},
42+
{
43+
"type": "ADVISORY",
44+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-755"
62+
],
63+
"severity": "CRITICAL",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2025-09-17T20:24:21Z",
66+
"nvd_published_at": "2025-09-17T11:15:32Z"
67+
}
68+
}

advisories/github-reviewed/2025/09/GHSA-hf6h-9wq7-hmjg/GHSA-hf6h-9wq7-hmjg.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hf6h-9wq7-hmjg",
4+
"modified": "2025-09-17T20:24:49Z",
5+
"published": "2025-09-17T12:30:58Z",
6+
"withdrawn": "2025-09-17T20:24:49Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references.\n\n### Original Description\nA Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [
17+
{
18+
"package": {
19+
"ecosystem": "PyPI",
20+
"name": "picklescan"
21+
},
22+
"ranges": [
23+
{
24+
"type": "ECOSYSTEM",
25+
"events": [
26+
{
27+
"introduced": "0"
28+
},
29+
{
30+
"fixed": "0.0.31"
31+
}
32+
]
33+
}
34+
]
35+
}
36+
],
37+
"references": [
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr"
41+
},
42+
{
43+
"type": "ADVISORY",
44+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-693"
58+
],
59+
"severity": "CRITICAL",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2025-09-17T20:24:49Z",
62+
"nvd_published_at": "2025-09-17T12:15:38Z"
63+
}
64+
}

advisories/github-reviewed/2025/09/GHSA-j424-mc44-f4hj/GHSA-j424-mc44-f4hj.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-j424-mc44-f4hj",
4+
"modified": "2025-09-17T20:24:33Z",
5+
"published": "2025-09-17T12:30:57Z",
6+
"withdrawn": "2025-09-17T20:24:33Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [
17+
{
18+
"package": {
19+
"ecosystem": "PyPI",
20+
"name": "picklescan"
21+
},
22+
"ranges": [
23+
{
24+
"type": "ECOSYSTEM",
25+
"events": [
26+
{
27+
"introduced": "0"
28+
},
29+
{
30+
"fixed": "0.0.31"
31+
}
32+
]
33+
}
34+
]
35+
}
36+
],
37+
"references": [
38+
{
39+
"type": "WEB",
40+
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg"
41+
},
42+
{
43+
"type": "ADVISORY",
44+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-20"
54+
],
55+
"severity": "CRITICAL",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2025-09-17T20:24:33Z",
58+
"nvd_published_at": "2025-09-17T10:15:36Z"
59+
}
60+
}

advisories/github-reviewed/2025/09/GHSA-m4j5-5x4r-2xp9/GHSA-m4j5-5x4r-2xp9.json

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-m4j5-5x4r-2xp9",
4+
"modified": "2025-09-17T20:24:07Z",
5+
"published": "2025-09-17T20:24:07Z",
6+
"aliases": [
7+
"CVE-2025-8419"
8+
],
9+
"summary": "Keycloak SMTP Inject Vulnerability",
10+
"details": "Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.keycloak:keycloak-services"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "26.2.8"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Maven",
40+
"name": "org.keycloak:keycloak-services"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "26.3.0"
48+
},
49+
{
50+
"fixed": "26.3.3"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8419"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://access.redhat.com/errata/RHSA-2025:15336"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://access.redhat.com/errata/RHSA-2025:15337"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://access.redhat.com/errata/RHSA-2025:15338"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://access.redhat.com/errata/RHSA-2025:15339"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://access.redhat.com/security/cve/CVE-2025-8419"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385776"
89+
},
90+
{
91+
"type": "PACKAGE",
92+
"url": "https://github.com/keycloak/keycloak"
93+
}
94+
],
95+
"database_specific": {
96+
"cwe_ids": [
97+
"CWE-93"
98+
],
99+
"severity": "MODERATE",
100+
"github_reviewed": true,
101+
"github_reviewed_at": "2025-09-17T20:24:07Z",
102+
"nvd_published_at": null
103+
}
104+
}

advisories/github-reviewed/2025/09/GHSA-mcvp-rpgg-9273/GHSA-mcvp-rpgg-9273.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mcvp-rpgg-9273",
4+
"modified": "2025-09-17T20:23:25Z",
5+
"published": "2025-09-17T20:23:25Z",
6+
"aliases": [
7+
"CVE-2025-59410"
8+
],
9+
"summary": "DragonFly's tiny file download uses hard coded HTTP protocol",
10+
"details": "### Impact\nThe code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed.\n\n```golang\n// DownloadTinyFile downloads tiny file from peer without range.\nfunc (p *Peer) DownloadTinyFile() ([]byte, error) {\n ctx, cancel := context.WithTimeout(context.Background(),\ndownloadTinyFileContextTimeout)\n defer cancel()\n // Download url:\nhttp://${host}:${port}/download/${taskIndex}/${taskID}?peerId=${peerID}\n targetURL := url.URL{\nScheme:\n}\n\"http\",\nfmt.Sprintf(\"%s:%d\", p.Host.IP, p.Host.DownloadPort),\nfmt.Sprintf(\"download/%s/%s\", p.Task.ID[:3], p.Task.ID),\nHost:\nPath:\nRawQuery: fmt.Sprintf(\"peerId=%s\", p.ID),\n```\n\nA network-level attacker who cannot join a peer-to-peer network performs a Man-in-the-Middle attack on peers. The adversary can do this because peers (partially) communicate over plaintext HTTP protocol. The attack chains this vulnerability with the one described in TOB-DF2-15 to replace correct files with malicious ones. Unconscious peers use the malicious files.\n\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/dragonflyoss/dragonfly"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.1.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/dragonflyoss/dragonfly"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-311"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-09-17T20:23:25Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)