GHSA SYNC: 1 brand new advisory

jasnow · postmodern · commit 098479f3b681 · 2025-07-15T12:44:38.000-07:00
diff --git a/gems/job-iteration/CVE-2025-53623.yml b/gems/job-iteration/CVE-2025-53623.yml
@@ -0,0 +1,40 @@
+---
+gem: job-iteration
+cve: 2025-53623
+ghsa: 6qjf-g333-pv38
+url: https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
+title: Job Iteration API is vulnerable to OS Command Injection attack
+  through its CsvEnumerator class
+date: 2025-07-14
+description: |
+  ### Impact
+
+  There is an arbitrary code execution vulnerability in the
+  `CsvEnumerator` class of the `job-iteration` repository. This
+  vulnerability can be exploited by an attacker to execute arbitrary
+  commands on the system where the application is running, potentially
+  leading to unauthorized access, data leakage, or complete system
+  compromise.
+
+  ### Patches
+
+  Issue is fixed in versions `1.11.0` and above.
+
+  ### Workarounds
+
+  Users can mitigate the risk by avoiding the use of untrusted input
+  in the `CsvEnumerator` class and ensuring that any file paths are
+  properly sanitized and validated before being passed to the class
+  methods. Users should avoid calling `size` on enumerators
+  constructed with untrusted CSV filenames.
+cvss_v4: 8.1
+patched_versions:
+  - ">= 1.11"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-53623
+    - https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
+    - https://github.com/Shopify/job-iteration/pull/595
+    - https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
+    - https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
+    - https://github.com/advisories/GHSA-6qjf-g333-pv38
