Publish Advisories

GHSA-2r4h-8jxv-w2j8
GHSA-c6cm-5gc7-c3f4
GHSA-rg35-5v25-mqvp

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-2r4h-8jxv-w2j8/GHSA-2r4h-8jxv-w2j8.json

@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2r4h-8jxv-w2j8",
+  "modified": "2025-10-29T15:34:22Z",
+  "published": "2025-10-29T15:34:22Z",
+  "aliases": [
+    "CVE-2025-54384"
+  ],
+  "summary": "CKAN vulnerable to stored XSS in resource description",
+  "details": "### Impact\n\nThe `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector.\n\n### Patches\nThis vulnerability has been fixed in CKAN 2.10.9 and 2.11.4",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "ckan"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.11.0"
+            },
+            {
+              "fixed": "2.11.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "ckan"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.10.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ckan/ckan/security/advisories/GHSA-2r4h-8jxv-w2j8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ckan/ckan/commit/112affffa74b14fc97c54abcf18315df97114917"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ckan/ckan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ckan/ckan/releases/tag/ckan-2.10.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ckan/ckan/releases/tag/ckan-2.11.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T15:34:22Z",
+    "nvd_published_at": null
+  }
+}

…-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.json …-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.jsonadvisories/unreviewed/2025/10/GHSA-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.json renamed to advisories/github-reviewed/2025/10/GHSA-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.json advisories/unreviewed/2025/10/GHSA-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.json renamed to advisories/github-reviewed/2025/10/GHSA-c6cm-5gc7-c3f4/GHSA-c6cm-5gc7-c3f4.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c6cm-5gc7-c3f4",
-  "modified": "2025-10-28T06:31:05Z",
+  "modified": "2025-10-29T15:35:08Z",
   "published": "2025-10-28T06:31:05Z",
   "aliases": [
     "CVE-2025-10939"
   ],
+  "summary": "Keycloak allows access to admin path through flaw",
   "details": "A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-quarkus-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.4.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +47,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398025"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-427"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T15:35:07Z",
     "nvd_published_at": "2025-10-28T04:16:15Z"
   }
 }

…-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json …-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.jsonadvisories/unreviewed/2025/10/GHSA-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json renamed to advisories/github-reviewed/2025/10/GHSA-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json advisories/unreviewed/2025/10/GHSA-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json renamed to advisories/github-reviewed/2025/10/GHSA-rg35-5v25-mqvp/GHSA-rg35-5v25-mqvp.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rg35-5v25-mqvp",
-  "modified": "2025-10-28T15:30:43Z",
+  "modified": "2025-10-29T15:35:45Z",
   "published": "2025-10-28T15:30:43Z",
   "aliases": [
     "CVE-2025-12390"
   ],
+  "summary": "Keycloak vulnerable to session takeovers due to reuse of session identifiers",
   "details": "A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.4.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +47,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406793"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-384"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T15:35:45Z",
     "nvd_published_at": "2025-10-28T14:15:57Z"
   }
 }