Publish Advisories

GHSA-6xvf-4vh9-mw47
GHSA-8x9v-8qgj-945x

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-6xvf-4vh9-mw47/GHSA-6xvf-4vh9-mw47.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xvf-4vh9-mw47",
+  "modified": "2025-11-20T21:57:01Z",
+  "published": "2025-11-20T21:57:01Z",
+  "aliases": [],
+  "summary": "Minder does not sandbox http.send in Rego programs",
+  "details": "### Impact\n\nMinder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to (for example, if the Minder server is behind a firewall or other network partition).\n\n### Patches\n\nhttps://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8\n\n### Workarounds\n\nUsers should avoid deploying Minder with access to sensitive resources.  Unfortunately, this could include access to systems like OpenFGA or Keycloak, depending on the deployment configuration.\n\n### References\n\nSample ruletype:\n\n```yaml\nversion: v1\ntype: rule-type\nname: test-http-send\ndisplay_name: Test that we can call http.send\nshort_failure_message: Failed http.send\nseverity:\n  value: medium\ncontext:\n  provider: github\ndescription: |\n  ...\nguidance: |\n  ....\ndef:\n  in_entity: repository\n  rule_schema:\n    type: object\n    properties: {}\n  ingest:\n    type: git\n    git: {}\n  eval:\n    type: rego\n    violation_format: text\n    rego:\n      type: constraints\n      def: |\n        package minder\n\n        import rego.v1\n\n        violations contains {\"msg\": \"Check-execution\"}\n\n        resp := http.send({\n          \"method\": \"GET\",\n          \"url\": \"http://openfga:8080/\",\n          \"raise_error\": false,\n        })\n\n        violations contains {\"msg\": sprintf(\"Response: %s\", [resp.status])}\n\n        details := sprintf(\"High score: %s\", [resp.body.summary])\n\n        violations contains {\"msg\": sprintf(\"Response body: %s\", [resp.body]) } if {\n          resp.status_code > 0\n        }\n```\n\nExample policy:\n\n```yaml\nversion: v1\ntype: profile\nname: Test-HTTP-send\ndisplay_name: Test if we can do http.send\ncontext:\n  provider: github\nalert: \"off\"\nremediate: \"off\"\nrepository:\n  - type: test-http-send\n    def: {}\n```\n\nEvaluation results:\n\n```sh\n$ minder profile status list -n test-http-send --json\n{\n  \"profileStatus\": {\n    \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n    \"profileName\": \"Test-HTTP-send\",\n    \"profileStatus\": \"failure\",\n    \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n  },\n  \"ruleEvaluationStatus\": [\n    {\n      \"profileId\": \"3b3e0918-4deb-49cc-b4c9-1d1d912cf784\",\n      \"ruleId\": \"c0ebac2c-cfe2-4a98-b0a6-d6971209653e\",\n      \"ruleName\": \"test-http-send\",\n      \"entity\": \"repository\",\n      \"status\": \"failure\",\n      \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n      \"entityInfo\": {\n        \"entity_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\",\n        \"entity_type\": \"repository\",\n        \"name\": \"a-random-sandbox/colorls\",\n        \"provider\": \"github-app-a-random-sandbox\",\n        \"repo_name\": \"colorls\",\n        \"repo_owner\": \"a-random-sandbox\",\n        \"repository_id\": \"a7f7a4bc-4430-4e9a-86a9-ffa026db6343\"\n      },\n      \"details\": \"Multiple issues:\\n* Check-execution\\n* Response body: {\\\"code\\\": \\\"undefined_endpoint\\\", \\\"message\\\": \\\"Not Found\\\"}\\n* Response: 404 Not Found\\n\",\n      \"guidance\": \"....\\n\",\n      \"remediationStatus\": \"skipped\",\n      \"remediationLastUpdated\": \"2024-10-31T03:44:01.456359Z\",\n      \"ruleTypeName\": \"test-http-send\",\n      \"ruleDescriptionName\": \"Test that we can call http.send\",\n      \"alert\": {\n        \"status\": \"skipped\",\n        \"lastUpdated\": \"2024-10-31T03:44:01.456359Z\"\n      },\n      \"ruleDisplayName\": \"Test that we can call http.send\",\n      \"releasePhase\": \"RULE_TYPE_RELEASE_PHASE_ALPHA\"\n    }\n  ]\n}\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mindersec/minder"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.0.72"
+            },
+            {
+              "fixed": "0.0.84"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.0.83"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mindersec/minder"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-830"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-20T21:57:01Z",
+    "nvd_published_at": null
+  }
+}

…-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.json …-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.jsonadvisories/unreviewed/2025/11/GHSA-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.json renamed to advisories/github-reviewed/2025/11/GHSA-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.json advisories/unreviewed/2025/11/GHSA-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.json renamed to advisories/github-reviewed/2025/11/GHSA-8x9v-8qgj-945x/GHSA-8x9v-8qgj-945x.json

@@ -1,14 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8x9v-8qgj-945x",
-  "modified": "2025-11-20T18:31:01Z",
+  "modified": "2025-11-20T21:56:31Z",
   "published": "2025-11-20T18:31:01Z",
   "aliases": [
     "CVE-2025-64027"
   ],
+  "summary": "Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow",
   "details": "Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "snipe/snipe-it"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "8.3.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -19,15 +45,17 @@
       "url": "https://github.com/cybercrewinc/CVE-2025-64027"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/grokability/snipe-it"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-20T21:56:31Z",
     "nvd_published_at": "2025-11-20T17:15:52Z"
   }
 }