From 91c55bc5ff527687722a899b76fe77203fc2a530 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 17 Jun 2025 09:36:06 -0400 Subject: [PATCH 1/3] GHSA SYNC: 2 brand new advisories --- .../CVE-2025-28382.yml | 21 +++++++++++++++++++ .../CVE-2025-28384.yml | 21 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml create mode 100644 gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml new file mode 100644 index 0000000000..aa0e35352f --- /dev/null +++ b/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml @@ -0,0 +1,21 @@ +--- +gem: openc3-cosmos-tool-iframe +cve: 2025-28382 +ghsa: cf8v-5mrc-jv7f +url: https://openc3.com +title: OpenC3 COSMOS Vulnerable to Directory Traversal via + openc3-api/tables endpoint +date: 2025-06-13 +description: | + An issue in the openc3-api/tables endpoint of OpenC3 COSMOS + 6.0.0 allows attackers to execute a directory traversal. +cvss_v3: 7.5 +unaffected_versions: + - "< 6.0.0" +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-28382 + - https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework + - https://openc3.com + - https://github.com/advisories/GHSA-cf8v-5mrc-jv7f diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml new file mode 100644 index 0000000000..4b8e448acd --- /dev/null +++ b/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml @@ -0,0 +1,21 @@ +--- +gem: openc3-cosmos-tool-iframe +cve: 2025-28384 +ghsa: p67j-387g-75wc +url: https://openc3.com +title: OpenC3 COSMOS Vulnerable to Directory Traversal via + /script-api/scripts/ endpoint +date: 2025-06-13 +description: | + An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS + 6.0.0 allows attackers to execute a directory traversal. +cvss_v3: 9.1 +unaffected_versions: + - "< 6.0.0" +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-28384 + - https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework + - https://openc3.com + - https://github.com/advisories/GHSA-p67j-387g-75wc From 3739cb4ab956a5bd4d075cd60910b5b19fda31c6 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Tue, 17 Jun 2025 10:35:17 -0700 Subject: [PATCH 2/3] Update `url:` in CVE-2025-28382.yml --- gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml index aa0e35352f..3091835361 100644 --- a/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml +++ b/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml @@ -2,7 +2,7 @@ gem: openc3-cosmos-tool-iframe cve: 2025-28382 ghsa: cf8v-5mrc-jv7f -url: https://openc3.com +url: https://github.com/advisories/GHSA-cf8v-5mrc-jv7f title: OpenC3 COSMOS Vulnerable to Directory Traversal via openc3-api/tables endpoint date: 2025-06-13 From 496a794bbdccb17f3609ee1321b35d83eca45742 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Tue, 17 Jun 2025 10:35:51 -0700 Subject: [PATCH 3/3] Update `url:` in CVE-2025-28384.yml --- gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml index 4b8e448acd..8d900ac248 100644 --- a/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml +++ b/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml @@ -2,7 +2,7 @@ gem: openc3-cosmos-tool-iframe cve: 2025-28384 ghsa: p67j-387g-75wc -url: https://openc3.com +url: https://github.com/advisories/GHSA-p67j-387g-75wc title: OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint date: 2025-06-13