Publish GHSA-j7c9-79x7-8hpr

advisory-database[bot] · advisory-database[bot] · commit e25310782bb4 · 2025-12-20T02:29:47.000Z
diff --git a/advisories/github-reviewed/2025/12/GHSA-j7c9-79x7-8hpr/GHSA-j7c9-79x7-8hpr.json b/advisories/github-reviewed/2025/12/GHSA-j7c9-79x7-8hpr/GHSA-j7c9-79x7-8hpr.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j7c9-79x7-8hpr",
-  "modified": "2025-12-04T16:22:30Z",
+  "modified": "2025-12-20T02:28:23Z",
   "published": "2025-12-03T16:27:59Z",
   "aliases": [
     "CVE-2025-66406"
   ],
   "summary": "step-ca Has Improper Authorization Check for SSH Certificate Revocation",
-  "details": "## Summary\n\nA security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with the SSHPOP provisioner.\nAll operators running these provisioners should upgrade to the latest release (`v0.29.0`) immediately.\n\nThe issue was discovered and responsibly disclosed by a research team during a security review. There is no evidence of active exploitation.\n\nTo limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.\n\n---\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\n---\n\n## Acknowledgements\n\nThis issue was identified and reported by Gabriel Departout and Andy Russon, from [AMOSSYS](http://amossys.fr/). This audit was sponsored by [ANSSI](https://cyber.gouv.fr/) (French Cybersecurity Agency) based on [their Open-Source security audit program](https://cyber.gouv.fr/open-source-lanssi#:~:text=Financement%20d%27%C3%A9valuations%20de%20s%C3%A9curit%C3%A9%20de%20logiciels%20libres).\n\n---\n\nStay safe, and thank you for helping us keep the ecosystem secure.",
+  "details": "## Summary\nAn authorized attacker can bypass authorization checks and revoke any SSH certificate issued by Step CA by using a valid revocation token.\n\n## Details\nStep CA users can obtain SSH certificates from a few provisioners. The SSHPOP provisioner allows revocation of the SSH certificate (preventing future certificate renewals) using a token. Due to a missing validity check, this token could be used to revoke any SSH certificate issued by the CA.\n\nTo create a token, an attacker must have access to the CA endpoint and a valid SSH certificate, meaning they were already authorized to obtain an SSH certificate. The attacker must also know the serial number of the certificate they want to revoke.\n\n## Impact\nThere is no way to mitigate this attack. It is recommended to update to v0.29.0 or newer.\n\n## Fix\nIn v0.29.0, the token validation logic was strengthened to bind each token to a specific SSH certificate serial number.\n\n## Acknowledgements\nThis issue was identified and reported by Gabriel Departout and Andy Russon, from [AMOSSYS](http://amossys.fr/). This audit was sponsored by [ANSSI](https://cyber.gouv.fr/) (French Cybersecurity Agency) based on [their Open-Source security audit program](https://cyber.gouv.fr/open-source-lanssi#:~:text=Financement%20d%27%C3%A9valuations%20de%20s%C3%A9curit%C3%A9%20de%20logiciels%20libres).\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\nStay safe, and thank you for helping us keep the ecosystem secure.",
   "severity": [
     {
       "type": "CVSS_V3",
