Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a8761161c87c · 2025-10-23T16:03:35.000Z
GHSA-j3w7-9qc3-g96p GHSA-jp7h-4f3c-9rc7
diff --git a/advisories/github-reviewed/2025/10/GHSA-j3w7-9qc3-g96p/GHSA-j3w7-9qc3-g96p.json b/advisories/github-reviewed/2025/10/GHSA-j3w7-9qc3-g96p/GHSA-j3w7-9qc3-g96p.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j3w7-9qc3-g96p",
+  "modified": "2025-10-23T16:01:35Z",
+  "published": "2025-10-23T16:01:35Z",
+  "aliases": [
+    "CVE-2025-62713"
+  ],
+  "summary": "Kottster app reinitialization can be re-triggered allowing command injection in development mode",
+  "details": "### Impact\n\n**Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.\n\nThe vulnerability combines two issues:\n1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token\n2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection\n\nAn attacker with access to a locally running development instance can chain these vulnerabilities to:\n- Reinitialize the application and receive a JWT token for a new root account\n- Use this token to authenticate\n- Execute arbitrary system commands through `installPackagesForDataSource`\n\n**Production deployments were never affected.**\n\n### Patches\n\nFixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2).\n\nSpecifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability.\n\nWe recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release:\n\n```\nnpm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest\n```\n\n### Workarounds\n\n- Do not expose development servers to public networks or untrusted users\n- Use production mode for any deployment accessible from outside trusted environments\n\n### Credit\n\nWe sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@kottster/server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0"
+            },
+            {
+              "fixed": "3.3.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kottster/kottster"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-23T16:01:35Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-jp7h-4f3c-9rc7/GHSA-jp7h-4f3c-9rc7.json b/advisories/github-reviewed/2025/10/GHSA-jp7h-4f3c-9rc7/GHSA-jp7h-4f3c-9rc7.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jp7h-4f3c-9rc7",
+  "modified": "2025-10-23T16:01:27Z",
+  "published": "2025-10-23T16:01:27Z",
+  "aliases": [
+    "CVE-2025-59048"
+  ],
+  "summary": "OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method",
+  "details": "### Impact\nThis is a cross-account impersonation vulnerability in the `auth-aws` plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the **same name** in a trusted account, leading to unauthorized access.\n\nThis impacts all users of the `auth-aws` plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.\n\nThe core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a `bound_iam_principal_arn configuration` significantly increases the attack surface, **wildcards are not a prerequisite for exploitation**. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.\n\nSuccessful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered **high**.\n\n### Patches\nThis vulnerability has been patched in version **0.1.1** of the `auth-aws` plugin.\nUsers are advised to upgrade to version **0.1.1** or later to remediate this vulnerability.\n\n### Workarounds\nFor users who are unable to upgrade to version **0.1.1** immediately, the most effective workaround is to **guarantee that IAM role names are unique across all AWS accounts** that could potentially interact with your OpenBao environment. This is the most critical mitigation step.\n\n**Primary Mitigation**: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.\n\nWhile removing wildcards from your `bound_iam_principal_arn` configuration is still recommended as a security best practice, it **will not** mitigate this vulnerability if duplicate role names exist.\n\n### Credits\nThis vulnerability was discovered and reported by [Pavlos Karakalidis](https://github.com/pkarakal/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/openbao/openbao-plugins"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.1.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openbao/openbao-plugins"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-694",
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-23T16:01:27Z",
+    "nvd_published_at": null
+  }
+}
