Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f7c8768949b1 · 2025-11-26T23:20:32.000Z
GHSA-58c5-g7wp-6w37 GHSA-w88f-4875-99c8 GHSA-w88f-4875-99c8
diff --git a/advisories/github-reviewed/2025/11/GHSA-58c5-g7wp-6w37/GHSA-58c5-g7wp-6w37.json b/advisories/github-reviewed/2025/11/GHSA-58c5-g7wp-6w37/GHSA-58c5-g7wp-6w37.json
@@ -0,0 +1,120 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-58c5-g7wp-6w37",
+  "modified": "2025-11-26T23:18:50Z",
+  "published": "2025-11-26T23:18:50Z",
+  "aliases": [
+    "CVE-2025-66035"
+  ],
+  "summary": "Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client",
+  "details": "The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain.\n\nAngular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header.\n\n### Impact\nThe token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.\n\n### Attack Preconditions\n1. The victim's Angular application must have **XSRF protection enabled**.  \n2. The attacker must be able to make the application send a state-changing HTTP request (e.g., `POST`) to a **protocol-relative URL**  (e.g., `//attacker.com`) that they control.\n\n### Patches\n- 19.2.16\n- 20.3.14\n- 21.0.1\n\n### Workarounds\nDevelopers should avoid using protocol-relative URLs (URLs starting with `//`) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single `/`) or fully qualified, trusted absolute URLs.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "21.0.0-next.0"
+            },
+            {
+              "fixed": "21.0.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "20.0.0-next.0"
+            },
+            {
+              "fixed": "20.3.14"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@angular/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "19.2.16"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/angular/angular"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/releases/tag/19.2.16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/releases/tag/20.3.14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/angular/angular/releases/tag/21.0.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-201",
+      "CWE-359"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T23:18:50Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json b/advisories/github-reviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w88f-4875-99c8",
+  "modified": "2025-11-26T23:19:18Z",
+  "published": "2025-11-26T09:31:21Z",
+  "aliases": [
+    "CVE-2025-59390"
+  ],
+  "summary": "Apache Druid’s Kerberos authenticator uses a weak fallback secret",
+  "details": "Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This  may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`\n\nThis issue affects Apache Druid: through 34.0.0.\n\nUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.druid:druid"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "35.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59390"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/druid/pull/18368"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/druid"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/11/26/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T23:19:18Z",
+    "nvd_published_at": "2025-11-26T09:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json b/advisories/unreviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json
