Publish Advisories

GHSA-fj7f-vq84-fh43
GHSA-jvfv-hrrc-6q72
GHSA-8m5h-hrqm-pxm2
GHSA-q77q-vx4q-xx6q
GHSA-m2h2-264f-f486

Author: advisory-database[bot]

advisories/github-reviewed/2021/12/GHSA-fj7f-vq84-fh43/GHSA-fj7f-vq84-fh43.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fj7f-vq84-fh43",
-  "modified": "2021-12-14T15:31:09Z",
+  "modified": "2025-11-03T22:27:44Z",
   "published": "2021-12-08T19:51:36Z",
   "aliases": [
     "CVE-2021-43809"
@@ -64,6 +64,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bundler/CVE-2021-43809.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"
+    },
     {
       "type": "WEB",
       "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers"

advisories/github-reviewed/2022/03/GHSA-jvfv-hrrc-6q72/GHSA-jvfv-hrrc-6q72.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jvfv-hrrc-6q72",
-  "modified": "2022-03-18T21:12:35Z",
+  "modified": "2025-11-03T22:28:08Z",
   "published": "2022-03-05T00:00:45Z",
   "aliases": [
     "CVE-2022-0839"
@@ -55,6 +55,10 @@
     {
       "type": "WEB",
       "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2025/Apr/14"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/04/GHSA-8m5h-hrqm-pxm2/GHSA-8m5h-hrqm-pxm2.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8m5h-hrqm-pxm2",
-  "modified": "2022-04-27T21:09:43Z",
+  "modified": "2025-11-03T22:28:22Z",
   "published": "2022-04-27T21:09:43Z",
   "aliases": [
     "CVE-2022-23457"
   ],
   "summary": "Path traversal in the OWASP Enterprise Security API",
-  "details": "### Impact\nThe default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.\n\n### Patches\nThis vulnerability is patched in release 2.3.0.0 of ESAPI. See https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.3.0.0 for details.\n\n### Workarounds\nYes; in theory, one _could_ write the own implementation of the Validator interface. This would most easily be done by sub-classing a version of the affected `DefaultValidator` class and then overriding the affected `getValidDirectoryPath()` to correct the issue. However, this is not recommended.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email one of the project co-leaders. See email addresses listed on  the [OWASP ESAPI wiki](https://owasp.org/www-project-enterprise-security-api/) page, under \"Leaders\".\n* Send email to one of the two ESAPI related Google Groups listed under [Where to Find More Information on ESAPI](https://github.com/ESAPI/esapi-java-legacy#where-to-find-more-information-on-esapi) on our [README.md](https://github.com/ESAPI/esapi-java-legacy#readme) page.\n",
+  "details": "### Impact\nThe default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.\n\n### Patches\nThis vulnerability is patched in release 2.3.0.0 of ESAPI. See https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.3.0.0 for details.\n\n### Workarounds\nYes; in theory, one _could_ write the own implementation of the Validator interface. This would most easily be done by sub-classing a version of the affected `DefaultValidator` class and then overriding the affected `getValidDirectoryPath()` to correct the issue. However, this is not recommended.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email one of the project co-leaders. See email addresses listed on  the [OWASP ESAPI wiki](https://owasp.org/www-project-enterprise-security-api/) page, under \"Leaders\".\n* Send email to one of the two ESAPI related Google Groups listed under [Where to Find More Information on ESAPI](https://github.com/ESAPI/esapi-java-legacy#where-to-find-more-information-on-esapi) on our [README.md](https://github.com/ESAPI/esapi-java-legacy#readme) page.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -63,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20230127-0014"

advisories/github-reviewed/2022/04/GHSA-q77q-vx4q-xx6q/GHSA-q77q-vx4q-xx6q.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q77q-vx4q-xx6q",
-  "modified": "2022-05-10T15:44:45Z",
+  "modified": "2025-11-03T22:28:35Z",
   "published": "2022-04-27T21:09:46Z",
   "aliases": [
     "CVE-2022-24891"
   ],
   "summary": "Cross-site Scripting in org.owasp.esapi:esapi",
-  "details": "### Impact\nThere is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause URLs with the \"javascript:\" scheme to NOT be sanitized. See the reference below for full details.\n\n### Patches\nPatched in ESAPI 2.3.0.0 and later. See important remediation details in the reference given below.\n\n### Workarounds\nManually edit your **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression as per remediation instructions in the reference below.\n\n### References\n[Security Bulletin 8](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email one of the project co-leaders. See email addresses listed on  the [OWASP ESAPI wiki](https://owasp.org/www-project-enterprise-security-api/) page, under \"Leaders\".\n* Send email to one of the two ESAPI related Google Groups listed under [Where to Find More Information on ESAPI](https://github.com/ESAPI/esapi-java-legacy#where-to-find-more-information-on-esapi) on our [README.md](https://github.com/ESAPI/esapi-java-legacy#readme) page.\n",
+  "details": "### Impact\nThere is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause URLs with the \"javascript:\" scheme to NOT be sanitized. See the reference below for full details.\n\n### Patches\nPatched in ESAPI 2.3.0.0 and later. See important remediation details in the reference given below.\n\n### Workarounds\nManually edit your **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression as per remediation instructions in the reference below.\n\n### References\n[Security Bulletin 8](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email one of the project co-leaders. See email addresses listed on  the [OWASP ESAPI wiki](https://owasp.org/www-project-enterprise-security-api/) page, under \"Leaders\".\n* Send email to one of the two ESAPI related Google Groups listed under [Where to Find More Information on ESAPI](https://github.com/ESAPI/esapi-java-legacy#where-to-find-more-information-on-esapi) on our [README.md](https://github.com/ESAPI/esapi-java-legacy#readme) page.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20230127-0014"

advisories/github-reviewed/2022/05/GHSA-m2h2-264f-f486/GHSA-m2h2-264f-f486.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m2h2-264f-f486",
-  "modified": "2022-05-04T20:12:02Z",
+  "modified": "2025-11-03T22:29:05Z",
   "published": "2022-05-03T00:00:44Z",
   "aliases": [
     "CVE-2022-25844"
@@ -41,6 +41,18 @@
       "type": "PACKAGE",
       "url": "https://github.com/angular/angular.js"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO"
+    },
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"