Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a6835e95b20f · 2025-11-21T18:11:10.000Z
GHSA-gmm6-j2g5-r52m GHSA-r63p-v37q-g74c GHSA-gmm6-j2g5-r52m
diff --git a/advisories/github-reviewed/2025/11/GHSA-gmm6-j2g5-r52m/GHSA-gmm6-j2g5-r52m.json b/advisories/github-reviewed/2025/11/GHSA-gmm6-j2g5-r52m/GHSA-gmm6-j2g5-r52m.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gmm6-j2g5-r52m",
+  "modified": "2025-11-21T18:10:41Z",
+  "published": "2025-11-21T15:31:28Z",
+  "aliases": [
+    "CVE-2025-13357"
+  ],
+  "summary": "Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default",
+  "details": "Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/hashicorp/terraform-provider-vault"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13357"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hashicorp/terraform-provider-vault/pull/2622"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/hashicorp/terraform-provider-vault"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1188"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-21T18:10:41Z",
+    "nvd_published_at": "2025-11-21T15:15:51Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-r63p-v37q-g74c/GHSA-r63p-v37q-g74c.json b/advisories/github-reviewed/2025/11/GHSA-r63p-v37q-g74c/GHSA-r63p-v37q-g74c.json
@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r63p-v37q-g74c",
-  "modified": "2025-11-21T00:30:21Z",
+  "modified": "2025-11-21T18:09:49Z",
   "published": "2025-11-20T15:30:24Z",
   "aliases": [
     "CVE-2025-60799"
   ],
+  "summary": "phppgadmin contains an incorrect access control vulnerability",
   "details": "phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "phppgadmin/phppgadmin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "7.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60799"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/phppgadmin/phppgadmin"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/phppgadmin/phppgadmin/blob/master/sql.php#L68-L76"
@@ -33,8 +58,8 @@
       "CWE-284"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-21T18:09:49Z",
     "nvd_published_at": "2025-11-20T15:17:38Z"
   }
 }
diff --git a/advisories/unreviewed/2025/11/GHSA-gmm6-j2g5-r52m/GHSA-gmm6-j2g5-r52m.json b/advisories/unreviewed/2025/11/GHSA-gmm6-j2g5-r52m/GHSA-gmm6-j2g5-r52m.json
