Skip to content

Commit 7e4b346

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-g9pc-8g42-g6vq GHSA-c5cj-xp43-qcc3 GHSA-m58f-9pvv-8mp2 GHSA-w29j-8phw-ffjf GHSA-g9pc-8g42-g6vq GHSA-c5cj-xp43-qcc3 GHSA-m58f-9pvv-8mp2 GHSA-w29j-8phw-ffjf
1 parent 65548e9 commit 7e4b346

File tree

8 files changed

+446
-170
lines changed

8 files changed

+446
-170
lines changed

advisories/github-reviewed/2025/04/GHSA-g9pc-8g42-g6vq/GHSA-g9pc-8g42-g6vq.json

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-g9pc-8g42-g6vq",
4+
"modified": "2025-10-24T20:57:40Z",
5+
"published": "2025-04-08T21:31:40Z",
6+
"aliases": [
7+
"CVE-2025-22871"
8+
],
9+
"summary": "RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency",
10+
"details": "The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "spiral/roadrunner"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2025.1.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/roadrunner-server/roadrunner/issues/2166"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/roadrunner-server/roadrunner"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://go.dev/cl/652998"
62+
},
63+
{
64+
"type": "WEB",
65+
"url": "https://go.dev/issue/71988"
66+
},
67+
{
68+
"type": "WEB",
69+
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
70+
},
71+
{
72+
"type": "WEB",
73+
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
74+
},
75+
{
76+
"type": "WEB",
77+
"url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"
78+
}
79+
],
80+
"database_specific": {
81+
"cwe_ids": [
82+
"CWE-1395",
83+
"CWE-444"
84+
],
85+
"severity": "CRITICAL",
86+
"github_reviewed": true,
87+
"github_reviewed_at": "2025-10-24T20:57:40Z",
88+
"nvd_published_at": "2025-04-08T20:15:20Z"
89+
}
90+
}

advisories/github-reviewed/2025/10/GHSA-c5cj-xp43-qcc3/GHSA-c5cj-xp43-qcc3.json

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c5cj-xp43-qcc3",
4+
"modified": "2025-10-24T20:58:32Z",
5+
"published": "2025-10-23T12:31:17Z",
6+
"aliases": [
7+
"CVE-2025-62396"
8+
],
9+
"summary": "Moodle's error handling leads to sensitive information disclosure",
10+
"details": "An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.0.0-beta"
29+
},
30+
{
31+
"fixed": "5.0.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "moodle/moodle"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.5.0-beta"
48+
},
49+
{
50+
"fixed": "4.5.7"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "ADVISORY",
60+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62396"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/moodle/moodle/commit/5d4910509eeaac8403d18ec8f259e29d2f11527e"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/moodle/moodle/commit/5e7d5abc483d0511ebfc2042075eabcc392ff4ce"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://access.redhat.com/security/cve/CVE-2025-62396"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404429"
77+
},
78+
{
79+
"type": "PACKAGE",
80+
"url": "https://github.com/moodle/moodle"
81+
},
82+
{
83+
"type": "WEB",
84+
"url": "https://moodle.org/mod/forum/discuss.php?d=470385"
85+
}
86+
],
87+
"database_specific": {
88+
"cwe_ids": [
89+
"CWE-548"
90+
],
91+
"severity": "MODERATE",
92+
"github_reviewed": true,
93+
"github_reviewed_at": "2025-10-24T20:58:32Z",
94+
"nvd_published_at": "2025-10-23T12:15:31Z"
95+
}
96+
}

advisories/github-reviewed/2025/10/GHSA-m58f-9pvv-8mp2/GHSA-m58f-9pvv-8mp2.json

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-m58f-9pvv-8mp2",
4+
"modified": "2025-10-24T20:58:12Z",
5+
"published": "2025-10-23T12:31:17Z",
6+
"aliases": [
7+
"CVE-2025-62399"
8+
],
9+
"summary": "Moodle vulnerable to brute-force password guesses",
10+
"details": "Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.0.0-beta"
29+
},
30+
{
31+
"fixed": "5.0.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "moodle/moodle"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.5.0-beta"
48+
},
49+
{
50+
"fixed": "4.5.7"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "moodle/moodle"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2.0-beta"
67+
},
68+
{
69+
"fixed": "4.4.11"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "moodle/moodle"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "0"
86+
},
87+
{
88+
"fixed": "4.1.21"
89+
}
90+
]
91+
}
92+
]
93+
}
94+
],
95+
"references": [
96+
{
97+
"type": "ADVISORY",
98+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62399"
99+
},
100+
{
101+
"type": "WEB",
102+
"url": "https://github.com/moodle/moodle/commit/e4d02567c922c537086de9f59f063ca073552a3a"
103+
},
104+
{
105+
"type": "WEB",
106+
"url": "https://access.redhat.com/security/cve/CVE-2025-62399"
107+
},
108+
{
109+
"type": "WEB",
110+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404432"
111+
},
112+
{
113+
"type": "PACKAGE",
114+
"url": "https://github.com/moodle/moodle"
115+
},
116+
{
117+
"type": "WEB",
118+
"url": "https://moodle.org/mod/forum/discuss.php?d=470388"
119+
}
120+
],
121+
"database_specific": {
122+
"cwe_ids": [
123+
"CWE-307"
124+
],
125+
"severity": "HIGH",
126+
"github_reviewed": true,
127+
"github_reviewed_at": "2025-10-24T20:58:12Z",
128+
"nvd_published_at": "2025-10-23T12:15:32Z"
129+
}
130+
}

0 commit comments

Comments
 (0)