Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cb2735efe8eb · 2025-12-03T16:29:36.000Z
GHSA-j7c9-79x7-8hpr GHSA-jf75-p25m-pw74 GHSA-xq4m-mc3c-vvg3
diff --git a/advisories/github-reviewed/2025/12/GHSA-j7c9-79x7-8hpr/GHSA-j7c9-79x7-8hpr.json b/advisories/github-reviewed/2025/12/GHSA-j7c9-79x7-8hpr/GHSA-j7c9-79x7-8hpr.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j7c9-79x7-8hpr",
+  "modified": "2025-12-03T16:27:59Z",
+  "published": "2025-12-03T16:27:59Z",
+  "aliases": [
+    "CVE-2025-66406"
+  ],
+  "summary": "step-ca Has Improper Authorization Check for SSH Certificate Revocation",
+  "details": "## Summary\n\nA security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with the SSHPOP provisioner.\nAll operators running these provisioners should upgrade to the latest release (`v0.29.0`) immediately.\n\nThe issue was discovered and responsibly disclosed by a research team during a security review. There is no evidence of active exploitation.\n\nTo limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.\n\n---\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\n---\n\n## Acknowledgements\n\nThis issue was identified and reported by Gabriel Departout and Andy Russon, from [AMOSSYS](http://amossys.fr/). This audit was sponsored by [ANSSI](https://cyber.gouv.fr/) (French Cybersecurity Agency) based on [their Open-Source security audit program](https://cyber.gouv.fr/open-source-lanssi#:~:text=Financement%20d%27%C3%A9valuations%20de%20s%C3%A9curit%C3%A9%20de%20logiciels%20libres).\n\n---\n\nStay safe, and thank you for helping us keep the ecosystem secure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/smallstep/certificates"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.29.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.28.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/smallstep/certificates/commit/1011f5f5408b470a636f583bf74c0d7bbaf75d72"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/smallstep/certificates/commit/992ff696e95b424a99140bd7edb2144013975059"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/smallstep/certificates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-03T16:27:59Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-jf75-p25m-pw74/GHSA-jf75-p25m-pw74.json b/advisories/github-reviewed/2025/12/GHSA-jf75-p25m-pw74/GHSA-jf75-p25m-pw74.json
@@ -0,0 +1,123 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jf75-p25m-pw74",
+  "modified": "2025-12-03T16:28:36Z",
+  "published": "2025-12-03T16:28:36Z",
+  "aliases": [
+    "CVE-2025-66411"
+  ],
+  "summary": "Coder logs sensitive objects unsanitized",
+  "details": "## Summary\nWorkspace Agent manifests containing sensitive values were logged in plaintext unsanitized\n\n## Details\nBy default Workspace Agent logs are redirected to [stderr](https://linux.die.net/man/3/stderr)\nhttps://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.go#L432-L439\n\n[Workspace Agent Manifests](https://coder.com/docs/reference/agent-api/schemas#agentsdkmanifest) containing sensitive environment variables were logged insecurely\nhttps://github.com/coder/coder/blob/7beb95fd56d2f790502e236b64906f8eefb969bd/agent/agent.go#L1090\n\nAn attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system ([SIEM](https://csrc.nist.gov/glossary/term/security_information_and_event_management_tool), logging stack) could access those logs\n\nThis behavior opened room for unauthorized access and privilege escalation\n\n## Impact\nImpact varies depending on the environment variables set in a given workspace\n\n## Patches\n[Fix](https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289) was released & backported:\n- https://github.com/coder/coder/releases/tag/v2.28.4\n- https://github.com/coder/coder/releases/tag/v2.27.7\n- https://github.com/coder/coder/releases/tag/v2.26.5\n\n## Workarounds\nOne potential workaround is to disable Workspace Agent Logs by setting following configuration option\n`CODER_AGENT_LOGGING_HUMAN=/dev/null` \n> platform operators are advised to upgrade their deployments",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/coder/coder/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.26.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/coder/coder/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.27.0"
+            },
+            {
+              "fixed": "2.27.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/coder/coder/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.28.0"
+            },
+            {
+              "fixed": "2.28.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/pull/20968"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/commit/06c6abbe0935f9213c1588add60a396da5762e1c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/commit/a75205a559211c8aa494b1a16750d114b263f24a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/coder/coder"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/releases/tag/v2.26.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/releases/tag/v2.27.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/coder/coder/releases/tag/v2.28.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-03T16:28:36Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-xq4m-mc3c-vvg3/GHSA-xq4m-mc3c-vvg3.json b/advisories/github-reviewed/2025/12/GHSA-xq4m-mc3c-vvg3/GHSA-xq4m-mc3c-vvg3.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xq4m-mc3c-vvg3",
+  "modified": "2025-12-03T16:27:19Z",
+  "published": "2025-12-03T16:27:19Z",
+  "aliases": [
+    "CVE-2025-66032"
+  ],
+  "summary": "Claude Code Command Validation Bypass Allows Arbitrary Code Execution",
+  "details": "Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.\n\nUsers on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.\n\nThank you to [RyotaK](hxxps://ryotak.net) from [GMO Flatt Security Inc.](hxxps://flatt.tech/en/) for reporting this issue!",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@anthropic-ai/claude-code"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.93"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/anthropics/claude-code"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-03T16:27:19Z",
+    "nvd_published_at": null
+  }
+}
