Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 854f42d8f8f4 · 2025-11-03T22:49:54.000Z
GHSA-869c-j7wc-8jqv GHSA-4xqq-m2hx-25v8 GHSA-5866-49gr-22v4 GHSA-r55c-59qm-vjw6 GHSA-vmwr-mc7x-5vc3 GHSA-m6fv-jmcg-4jfg GHSA-m9gf-397r-hwpg GHSA-mqm9-c95h-x2p6 GHSA-2rxp-v6pw-ch6m GHSA-g8m5-722r-8whq GHSA-gx9m-whjm-85jf GHSA-r7m4-f9h5-gr79
diff --git a/advisories/github-reviewed/2024/06/GHSA-869c-j7wc-8jqv/GHSA-869c-j7wc-8jqv.json b/advisories/github-reviewed/2024/06/GHSA-869c-j7wc-8jqv/GHSA-869c-j7wc-8jqv.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-869c-j7wc-8jqv",
-  "modified": "2025-03-14T21:38:49Z",
+  "modified": "2025-11-03T22:47:01Z",
   "published": "2024-06-29T06:31:40Z",
   "aliases": [
     "CVE-2019-25211"
@@ -86,6 +86,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/gin-gonic/gin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/07/GHSA-4xqq-m2hx-25v8/GHSA-4xqq-m2hx-25v8.json b/advisories/github-reviewed/2024/07/GHSA-4xqq-m2hx-25v8/GHSA-4xqq-m2hx-25v8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4xqq-m2hx-25v8",
-  "modified": "2025-01-17T21:31:39Z",
+  "modified": "2025-11-03T22:47:12Z",
   "published": "2024-07-16T19:49:15Z",
   "aliases": [
     "CVE-2024-39908"
@@ -60,6 +60,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-39908.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20250117-0008"
diff --git a/advisories/github-reviewed/2024/08/GHSA-5866-49gr-22v4/GHSA-5866-49gr-22v4.json b/advisories/github-reviewed/2024/08/GHSA-5866-49gr-22v4/GHSA-5866-49gr-22v4.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5866-49gr-22v4",
-  "modified": "2025-01-17T21:31:39Z",
+  "modified": "2025-11-03T22:47:32Z",
   "published": "2024-08-02T12:33:15Z",
   "aliases": [
     "CVE-2024-41946"
@@ -60,6 +60,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20250117-0007"
diff --git a/advisories/github-reviewed/2024/08/GHSA-r55c-59qm-vjw6/GHSA-r55c-59qm-vjw6.json b/advisories/github-reviewed/2024/08/GHSA-r55c-59qm-vjw6/GHSA-r55c-59qm-vjw6.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r55c-59qm-vjw6",
-  "modified": "2024-12-27T18:30:26Z",
+  "modified": "2025-11-03T22:47:22Z",
   "published": "2024-08-01T22:05:10Z",
   "aliases": [
     "CVE-2024-41123"
@@ -64,6 +64,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41123.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20241227-0005"
diff --git a/advisories/github-reviewed/2024/08/GHSA-vmwr-mc7x-5vc3/GHSA-vmwr-mc7x-5vc3.json b/advisories/github-reviewed/2024/08/GHSA-vmwr-mc7x-5vc3/GHSA-vmwr-mc7x-5vc3.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vmwr-mc7x-5vc3",
-  "modified": "2025-01-03T12:30:31Z",
+  "modified": "2025-11-03T22:47:47Z",
   "published": "2024-08-22T16:40:46Z",
   "aliases": [
     "CVE-2024-43398"
   ],
   "summary": "REXML denial of service vulnerability",
-  "details": "### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org\n",
+  "details": "### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -64,6 +64,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20250103-0006"
diff --git a/advisories/github-reviewed/2024/09/GHSA-m6fv-jmcg-4jfg/GHSA-m6fv-jmcg-4jfg.json b/advisories/github-reviewed/2024/09/GHSA-m6fv-jmcg-4jfg/GHSA-m6fv-jmcg-4jfg.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m6fv-jmcg-4jfg",
-  "modified": "2024-11-18T16:27:11Z",
+  "modified": "2025-11-03T22:48:03Z",
   "published": "2024-09-10T19:42:41Z",
   "aliases": [
     "CVE-2024-43799"
   ],
   "summary": "send vulnerable to template injection that can lead to XSS",
-  "details": "### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n",
+  "details": "### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -55,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/pillarjs/send"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00022.html"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-m9gf-397r-hwpg/GHSA-m9gf-397r-hwpg.json b/advisories/github-reviewed/2024/09/GHSA-m9gf-397r-hwpg/GHSA-m9gf-397r-hwpg.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m9gf-397r-hwpg",
-  "modified": "2025-04-28T15:32:18Z",
+  "modified": "2025-11-03T22:48:13Z",
   "published": "2024-09-09T15:30:41Z",
   "aliases": [
     "CVE-2024-8372"
@@ -52,6 +52,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/angular/angular.js"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20241122-0002"
diff --git a/advisories/github-reviewed/2024/09/GHSA-mqm9-c95h-x2p6/GHSA-mqm9-c95h-x2p6.json b/advisories/github-reviewed/2024/09/GHSA-mqm9-c95h-x2p6/GHSA-mqm9-c95h-x2p6.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mqm9-c95h-x2p6",
-  "modified": "2024-11-22T12:39:08Z",
+  "modified": "2025-11-03T22:48:22Z",
   "published": "2024-09-09T15:30:41Z",
   "aliases": [
     "CVE-2024-8373"
@@ -52,6 +52,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/angular/angular.js"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20241122-0003"
diff --git a/advisories/github-reviewed/2024/10/GHSA-2rxp-v6pw-ch6m/GHSA-2rxp-v6pw-ch6m.json b/advisories/github-reviewed/2024/10/GHSA-2rxp-v6pw-ch6m/GHSA-2rxp-v6pw-ch6m.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2rxp-v6pw-ch6m",
-  "modified": "2024-12-27T18:30:26Z",
+  "modified": "2025-11-03T22:49:25Z",
   "published": "2024-10-28T14:10:18Z",
   "aliases": [
     "CVE-2024-49761"
   ],
   "summary": "REXML ReDoS vulnerability",
-  "details": "### Impact\n\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).\n\nThis does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.\n\n### Patches\n\nThe REXML gem 3.3.9 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nUse Ruby 3.2 or later instead of Ruby 3.1.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org\n",
+  "details": "### Impact\n\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).\n\nThis does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.\n\n### Patches\n\nThe REXML gem 3.3.9 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nUse Ruby 3.2 or later instead of Ruby 3.1.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -60,6 +60,10 @@
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20241227-0004"
diff --git a/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json b/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g8m5-722r-8whq",
-  "modified": "2024-10-14T21:08:39Z",
+  "modified": "2025-11-03T22:49:11Z",
   "published": "2024-10-14T21:08:38Z",
   "aliases": [
     "CVE-2024-8184"
@@ -124,6 +124,10 @@
     {
       "type": "WEB",
       "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/10/GHSA-gx9m-whjm-85jf/GHSA-gx9m-whjm-85jf.json b/advisories/github-reviewed/2024/10/GHSA-gx9m-whjm-85jf/GHSA-gx9m-whjm-85jf.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gx9m-whjm-85jf",
-  "modified": "2024-10-11T17:27:29Z",
+  "modified": "2025-11-03T22:48:34Z",
   "published": "2024-10-11T17:27:29Z",
   "aliases": [
     "CVE-2024-47875"
@@ -82,6 +82,14 @@
     {
       "type": "WEB",
       "url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2025/Apr/14"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/10/GHSA-r7m4-f9h5-gr79/GHSA-r7m4-f9h5-gr79.json b/advisories/github-reviewed/2024/10/GHSA-r7m4-f9h5-gr79/GHSA-r7m4-f9h5-gr79.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r7m4-f9h5-gr79",
-  "modified": "2024-11-08T22:17:54Z",
+  "modified": "2025-11-03T22:48:56Z",
   "published": "2024-10-14T21:07:29Z",
   "aliases": [
     "CVE-2024-6762"
   ],
   "summary": "Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks",
-  "details": "### Impact\n Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.\n\n### Patches\n* https://github.com/jetty/jetty.project/pull/9715\n* https://github.com/jetty/jetty.project/pull/9716\n\n### Workarounds\nThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\n + not using the PushCacheFilter.  Push has been deprecated by the various IETF specs and early hints responses should be used instead.\n + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.\n\n### References\n* https://github.com/jetty/jetty.project/pull/10756\n* https://github.com/jetty/jetty.project/pull/10755\n",
+  "details": "### Impact\n Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.\n\n### Patches\n* https://github.com/jetty/jetty.project/pull/9715\n* https://github.com/jetty/jetty.project/pull/9716\n\n### Workarounds\nThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\n + not using the PushCacheFilter.  Push has been deprecated by the various IETF specs and early hints responses should be used instead.\n + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.\n\n### References\n* https://github.com/jetty/jetty.project/pull/10756\n* https://github.com/jetty/jetty.project/pull/10755",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -118,6 +118,10 @@
     {
       "type": "WEB",
       "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
     }
   ],
   "database_specific": {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-869c-j7wc-8jqv",`
`4`		`- "modified": "2025-03-14T21:38:49Z",`
	`4`	`+ "modified": "2025-11-03T22:47:01Z",`
`5`	`5`	`"published": "2024-06-29T06:31:40Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2019-25211"`
`@@ -86,6 +86,10 @@`
`86`	`86`	`{`
`87`	`87`	`"type": "PACKAGE",`
`88`	`88`	`"url": "https://github.com/gin-gonic/gin"`
	`89`	`+ },`
	`90`	`+ {`
	`91`	`+ "type": "WEB",`
	`92`	`+ "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"`
`89`	`93`	`}`
`90`	`94`	`],`
`91`	`95`	`"database_specific": {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-g8m5-722r-8whq",`
`4`		`- "modified": "2024-10-14T21:08:39Z",`
	`4`	`+ "modified": "2025-11-03T22:49:11Z",`
`5`	`5`	`"published": "2024-10-14T21:08:38Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-8184"`
`@@ -124,6 +124,10 @@`
`124`	`124`	`{`
`125`	`125`	`"type": "WEB",`
`126`	`126`	`"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"`
	`127`	`+ },`
	`128`	`+ {`
	`129`	`+ "type": "WEB",`
	`130`	`+ "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"`
`127`	`131`	`}`
`128`	`132`	`],`
`129`	`133`	`"database_specific": {`