Publish Advisories

GHSA-4g74-7cff-xcv8
GHSA-6533-fhr2-f38h
GHSA-g582-8vwr-68h2
GHSA-vf95-55w6-qmrf
GHSA-xf7m-v66q-76w8

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-4g74-7cff-xcv8/GHSA-4g74-7cff-xcv8.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4g74-7cff-xcv8",
-  "modified": "2025-11-06T15:29:34Z",
+  "modified": "2025-11-15T02:25:02Z",
   "published": "2025-11-05T18:44:18Z",
   "aliases": [
     "CVE-2025-62161"
   ],
   "summary": "youki container escape via \"masked path\" abuse due to mount race conditions",
   "details": "### Impact ###\n\nyouki utilizes bind mounting the container's `/dev/null` as a file mask. When performing this operation, the initial validation of the source `/dev/null` was insufficient. Specifically, we initially failed to verify whether `/dev/null` was genuinely present. However, we did perform validation to ensure that the `/dev/null` path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.\n\nAs a result, by replacing `/dev/null` with a symbolic link, we can bind-mount arbitrary files from the host system.\n\nThis is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems.\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\n\n### Credits\n\nThanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc's vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3's initial findings.\n\nAlso, @cyphar helped youki in finding the problem.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"

advisories/github-reviewed/2025/11/GHSA-6533-fhr2-f38h/GHSA-6533-fhr2-f38h.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6533-fhr2-f38h",
-  "modified": "2025-11-03T20:26:10Z",
+  "modified": "2025-11-15T02:24:27Z",
   "published": "2025-11-01T00:30:27Z",
   "aliases": [
     "CVE-2025-62276"
   ],
   "summary": "Liferay Portal and DXP use an incorrect cache-control header",
   "details": "The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the browser's cache.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2025/11/GHSA-g582-8vwr-68h2/GHSA-g582-8vwr-68h2.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g582-8vwr-68h2",
-  "modified": "2025-11-05T20:55:17Z",
+  "modified": "2025-11-15T02:25:11Z",
   "published": "2025-11-03T20:13:26Z",
   "aliases": [
     "CVE-2025-62520"
   ],
   "summary": "MantisBT unauthorized disclosure of private project column configuration",
   "details": "### Impact\n\nDue to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to. \n\nAccess to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration.\n\n### Patches\nThe vulnerability will be fixed in MantisBT version 2.27.2. \n\n### Workarounds\nNone\n\n### Credits\nThanks to [d3vpoo1](https://github.com/jrckmcsb) for reporting the issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2025/11/GHSA-vf95-55w6-qmrf/GHSA-vf95-55w6-qmrf.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vf95-55w6-qmrf",
-  "modified": "2025-11-06T15:29:58Z",
+  "modified": "2025-11-15T02:25:28Z",
   "published": "2025-11-05T18:45:18Z",
   "aliases": [
     "CVE-2025-62596"
   ],
   "summary": "youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects",
   "details": "### Impact ###\n\nyouki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations.\n\n**Weak write-target check**\nyouki only verifies that the destination lies somewhere under procfs. As a result, a write intended for `/proc/self/attr/apparmor/exec` can succeed even if the path has been redirected to `/proc/sys/kernel/hostname`(which is also in procfs).\n\n**Path substitution**\nWhile resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target.\n\nThis is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems.\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\n\n### Credits ###\n\nThanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis Tiigi (@tonistiigi from Docker) for both independently discovering runc's original vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for the original research into this class of security issues and solutions.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"

advisories/github-reviewed/2025/11/GHSA-xf7m-v66q-76w8/GHSA-xf7m-v66q-76w8.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xf7m-v66q-76w8",
-  "modified": "2025-11-03T21:06:57Z",
+  "modified": "2025-11-15T02:24:51Z",
   "published": "2025-11-01T03:30:24Z",
   "aliases": [
     "CVE-2025-62275"
   ],
   "summary": "Liferay Portal and DXP do not check permissions of images in a blog entry",
   "details": "Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"