Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 43bebb034fa3 · 2025-09-25T16:40:35.000Z
GHSA-227x-7mh8-3cf6 GHSA-625h-95r8-8xpm
diff --git a/advisories/github-reviewed/2025/09/GHSA-227x-7mh8-3cf6/GHSA-227x-7mh8-3cf6.json b/advisories/github-reviewed/2025/09/GHSA-227x-7mh8-3cf6/GHSA-227x-7mh8-3cf6.json
@@ -0,0 +1,151 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-227x-7mh8-3cf6",
+  "modified": "2025-09-25T16:39:16Z",
+  "published": "2025-09-25T16:39:16Z",
+  "aliases": [
+    "CVE-2025-59823"
+  ],
+  "summary": "Gardener Extensions for multiple providers vulnerable to Terraform code injection",
+  "details": "### Impact\n\nA security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.\n\nThis CVE affects all Gardener installations where [Terraformer](https://github.com/gardener/terraformer) is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.\n\n### Affected Components\n• gardener-extension-provider-gcp\n• gardener-extension-provider-azure\n• gardener-extension-provider-openstack\n• gardener-extension-provider-aws\n\n### Affected Versions\n• gardener-extension-provider-gcp < v1.46.0\n• gardener-extension-provider-azure < v1.55.0\n• gardener-extension-provider-openstack < v1.49.0\n• gardener-extension-provider-aws < v1.64.0\n\n### Fixed versions\n• gardener-extension-provider-gcp >= v1.46.0\n• gardener-extension-provider-azure >= v1.55.0\n• gardener-extension-provider-openstack >= v1.49.0\n• gardener-extension-provider-aws >= v1.64.0\n\n### How do I mitigate this vulnerability?\nUpdate to a fixed version.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gardener/gardener-extension-provider-aws"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.64.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gardener/gardener-extension-provider-gcp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.46.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gardener/gardener-extension-provider-azure"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.55.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gardener/gardener-extension-provider-openstack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.49.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59823"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-25T16:39:16Z",
+    "nvd_published_at": "2025-09-25T15:16:13Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/09/GHSA-625h-95r8-8xpm/GHSA-625h-95r8-8xpm.json b/advisories/github-reviewed/2025/09/GHSA-625h-95r8-8xpm/GHSA-625h-95r8-8xpm.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-625h-95r8-8xpm",
+  "modified": "2025-09-25T16:39:27Z",
+  "published": "2025-09-25T16:39:27Z",
+  "aliases": [
+    "CVE-2025-59830"
+  ],
+  "summary": "Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters",
+  "details": "## Summary\n\n`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.\n\n## Details\n\nThe issue arises because `Rack::QueryParser#check_query_string` counts only `&` characters when determining the number of parameters, but the default separator regex `DEFAULT_SEP = /[&;] */n` splits on both `&` and `;`. This mismatch means that queries using `;` separators were not included in the parameter count, allowing `params_limit` to be bypassed.\n\nOther safeguards (`bytesize_limit` and `key_space_limit`) still applied, but did not prevent this particular bypass.\n\n## Impact\n\nApplications or middleware that directly invoke `Rack::QueryParser` with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector.\n\n`Rack::Request`, the primary entry point for typical Rack applications, uses `QueryParser` in a safe way and does not appear vulnerable by default. As such, the severity is considered **low**, with the impact limited to edge cases where `QueryParser` is used directly.\n\n## Mitigation\n\n* Upgrade to a patched version of Rack where both `&` and `;` are counted consistently toward `params_limit`.\n* If upgrading is not immediately possible, configure `QueryParser` with an explicit delimiter (e.g., `&`) to avoid the mismatch.\n* As a general precaution, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or a CDN) to mitigate excessive parsing overhead.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.18"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59830"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rack/rack"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-25T16:39:27Z",
+    "nvd_published_at": "2025-09-25T15:16:13Z"
+  }
+}
