Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit da4747702b10 · 2025-10-22T19:36:50.000Z
GHSA-6x85-j5j2-27jx GHSA-47qp-8v9g-39hp GHSA-mrfm-jxgf-2h6v GHSA-4r8w-3jww-m2rp
diff --git a/advisories/github-reviewed/2017/10/GHSA-6x85-j5j2-27jx/GHSA-6x85-j5j2-27jx.json b/advisories/github-reviewed/2017/10/GHSA-6x85-j5j2-27jx/GHSA-6x85-j5j2-27jx.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6x85-j5j2-27jx",
-  "modified": "2023-02-15T22:22:18Z",
+  "modified": "2025-10-22T19:35:27Z",
   "published": "2017-10-24T18:33:36Z",
   "aliases": [
     "CVE-2014-0130"
   ],
   "summary": "actionpack Path Traversal vulnerability",
   "details": "Directory traversal vulnerability in `actionpack/lib/abstract_controller/base.rb` in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -101,6 +106,10 @@
       "type": "WEB",
       "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o"
     },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
+    },
     {
       "type": "WEB",
       "url": "https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244"
@@ -113,6 +122,14 @@
       "type": "WEB",
       "url": "https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130"
+    },
+    {
+      "type": "WEB",
+      "url": "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+    },
     {
       "type": "WEB",
       "url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
@@ -122,7 +139,7 @@
     "cwe_ids": [
       "CWE-22"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2020-06-16T21:20:36Z",
     "nvd_published_at": "2014-05-07T10:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-47qp-8v9g-39hp/GHSA-47qp-8v9g-39hp.json b/advisories/github-reviewed/2022/05/GHSA-47qp-8v9g-39hp/GHSA-47qp-8v9g-39hp.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-47qp-8v9g-39hp",
-  "modified": "2023-08-16T09:29:54Z",
+  "modified": "2025-10-22T19:33:21Z",
   "published": "2022-05-13T01:14:26Z",
   "aliases": [
     "CVE-2013-2251"
   ],
   "summary": "Code injection in Apache Struts",
   "details": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.\n\nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -55,6 +60,10 @@
       "type": "WEB",
       "url": "https://issues.apache.org/jira/browse/WW-4140"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251"
+    },
     {
       "type": "WEB",
       "url": "http://archiva.apache.org/security.html"
@@ -86,13 +95,22 @@
     {
       "type": "WEB",
       "url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-20"
+      "CWE-20",
+      "CWE-74"
     ],
-    "severity": "HIGH",
+    "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2022-11-03T19:11:13Z",
     "nvd_published_at": "2013-07-20T03:37:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-mrfm-jxgf-2h6v/GHSA-mrfm-jxgf-2h6v.json b/advisories/github-reviewed/2022/05/GHSA-mrfm-jxgf-2h6v/GHSA-mrfm-jxgf-2h6v.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mrfm-jxgf-2h6v",
-  "modified": "2025-01-06T22:28:40Z",
+  "modified": "2025-10-22T19:34:14Z",
   "published": "2022-05-17T03:28:58Z",
   "aliases": [
     "CVE-2014-3120"
   ],
   "summary": "Elasticsearch Improper Access Control vulnerability",
   "details": "The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search.  NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -59,6 +64,10 @@
       "type": "WEB",
       "url": "https://web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-3120"
+    },
     {
       "type": "WEB",
       "url": "https://www.elastic.co/blog/logstash-1-4-3-released"
@@ -88,7 +97,7 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-01-06T22:28:40Z",
     "nvd_published_at": "2014-07-28T19:55:00Z"
diff --git a/advisories/github-reviewed/2025/10/GHSA-4r8w-3jww-m2rp/GHSA-4r8w-3jww-m2rp.json b/advisories/github-reviewed/2025/10/GHSA-4r8w-3jww-m2rp/GHSA-4r8w-3jww-m2rp.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4r8w-3jww-m2rp",
-  "modified": "2025-10-16T21:21:44Z",
+  "modified": "2025-10-22T19:35:59Z",
   "published": "2025-10-16T12:30:23Z",
   "aliases": [
     "CVE-2025-3930"
@@ -11,7 +11,7 @@
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"
     }
   ],
   "affected": [
@@ -40,13 +40,21 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3930"
     },
+    {
+      "type": "WEB",
+      "url": "https://cert.pl/en/posts/2025/06/CVE-2025-3930"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/strapi/strapi"
     },
     {
       "type": "WEB",
       "url": "https://strapi.io"
+    },
+    {
+      "type": "WEB",
+      "url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025"
     }
   ],
   "database_specific": {
