Publish Advisories

GHSA-49q7-c7j4-3p7m
GHSA-977x-g7h5-7qgw
GHSA-9hf4-67fc-4vf4
GHSA-32p4-gm2c-wmch
GHSA-8w49-h785-mj3c
GHSA-hfq9-hggm-c56q
GHSA-xvg8-m4x3-w6xr
GHSA-mwcw-c2x4-8c55

Author: advisory-database[bot]

advisories/github-reviewed/2024/08/GHSA-49q7-c7j4-3p7m/GHSA-49q7-c7j4-3p7m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-49q7-c7j4-3p7m",
-  "modified": "2024-08-15T17:52:28Z",
+  "modified": "2025-11-04T16:52:52Z",
   "published": "2024-08-02T09:31:35Z",
   "aliases": [
     "CVE-2024-42461"
@@ -58,6 +58,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/indutny/elliptic"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20241004-0005"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2024/08/GHSA-977x-g7h5-7qgw/GHSA-977x-g7h5-7qgw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-977x-g7h5-7qgw",
-  "modified": "2024-08-15T17:53:05Z",
+  "modified": "2025-11-04T16:52:43Z",
   "published": "2024-08-02T09:31:35Z",
   "aliases": [
     "CVE-2024-42460"
@@ -62,6 +62,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/indutny/elliptic"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20241004-0005"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2024/09/GHSA-9hf4-67fc-4vf4/GHSA-9hf4-67fc-4vf4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9hf4-67fc-4vf4",
-  "modified": "2024-09-20T22:12:43Z",
+  "modified": "2025-11-04T16:53:06Z",
   "published": "2024-09-20T14:40:16Z",
   "aliases": [
     "CVE-2024-45614"
@@ -83,6 +83,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
+    },
     {
       "type": "WEB",
       "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"

advisories/github-reviewed/2024/11/GHSA-32p4-gm2c-wmch/GHSA-32p4-gm2c-wmch.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-32p4-gm2c-wmch",
-  "modified": "2025-02-25T21:45:58Z",
+  "modified": "2025-11-04T16:53:27Z",
   "published": "2024-11-06T12:31:32Z",
   "aliases": [
     "CVE-2024-9902"
@@ -167,6 +167,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/ansible/ansible"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2024/11/GHSA-8w49-h785-mj3c/GHSA-8w49-h785-mj3c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8w49-h785-mj3c",
-  "modified": "2024-11-22T22:27:52Z",
+  "modified": "2025-11-04T16:54:32Z",
   "published": "2024-11-22T20:26:41Z",
   "aliases": [
     "CVE-2024-52804"
@@ -54,6 +54,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/tornadoweb/tornado"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2024/11/GHSA-hfq9-hggm-c56q/GHSA-hfq9-hggm-c56q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfq9-hggm-c56q",
-  "modified": "2024-11-08T13:55:23Z",
+  "modified": "2025-11-04T16:53:40Z",
   "published": "2024-11-07T21:51:17Z",
   "aliases": [
     "CVE-2024-47072"
@@ -60,6 +60,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/x-stream/xstream"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html"
+    },
     {
       "type": "WEB",
       "url": "https://x-stream.github.io/CVE-2024-47072.html"

advisories/github-reviewed/2024/11/GHSA-xvg8-m4x3-w6xr/GHSA-xvg8-m4x3-w6xr.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xvg8-m4x3-w6xr",
-  "modified": "2024-11-12T19:54:38Z",
+  "modified": "2025-11-04T16:53:54Z",
   "published": "2024-11-12T19:54:38Z",
   "aliases": [
     "CVE-2024-50336"
   ],
   "summary": "matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal",
-  "details": "### Summary\n\nmatrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.\n\n### Details\n\nThe Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation.\n\n### Patches\n\nFixed in matrix-js-sdk 34.11.1.\n\n### Workarounds\n\nNone.\n\n### References\n\n- https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5\n- https://blog.doyensec.com/2024/07/02/cspt2csrf.html\n",
+  "details": "### Summary\n\nmatrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.\n\n### Details\n\nThe Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation.\n\n### Patches\n\nFixed in matrix-js-sdk 34.11.1.\n\n### Workarounds\n\nNone.\n\n### References\n\n- https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5\n- https://blog.doyensec.com/2024/07/02/cspt2csrf.html",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -48,6 +48,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/matrix-org/matrix-js-sdk"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html"
+    },
     {
       "type": "WEB",
       "url": "https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5"

advisories/github-reviewed/2024/12/GHSA-mwcw-c2x4-8c55/GHSA-mwcw-c2x4-8c55.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mwcw-c2x4-8c55",
-  "modified": "2024-12-13T22:57:29Z",
+  "modified": "2025-11-04T16:54:54Z",
   "published": "2024-12-09T03:30:59Z",
   "aliases": [
     "CVE-2024-55565"
@@ -74,6 +74,14 @@
     {
       "type": "WEB",
       "url": "https://github.com/ai/nanoid/releases/tag/5.0.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html"
     }
   ],
   "database_specific": {