diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 439e69731..baaad17f3 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -45,7 +45,6 @@ from vulnerabilities.pipelines.v2_importers import apache_kafka_importer as apache_kafka_importer_v2 from vulnerabilities.pipelines.v2_importers import apache_tomcat_importer as apache_tomcat_v2 from vulnerabilities.pipelines.v2_importers import archlinux_importer as archlinux_importer_v2 -from vulnerabilities.pipelines.v2_importers import collect_fix_commits as collect_fix_commits_v2 from vulnerabilities.pipelines.v2_importers import curl_importer as curl_importer_v2 from vulnerabilities.pipelines.v2_importers import debian_importer as debian_importer_v2 from vulnerabilities.pipelines.v2_importers import ( @@ -78,6 +77,9 @@ from vulnerabilities.pipelines.v2_importers import ruby_importer as ruby_importer_v2 from vulnerabilities.pipelines.v2_importers import suse_score_importer as suse_score_importer_v2 from vulnerabilities.pipelines.v2_importers import ubuntu_osv_importer as ubuntu_osv_importer_v2 +from vulnerabilities.pipelines.v2_importers import ( + vcs_collector_importer as vcs_collector_importer_v2, +) from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2 from vulnerabilities.utils import create_registry @@ -116,6 +118,7 @@ retiredotnet_importer_v2.RetireDotnetImporterPipeline, ubuntu_osv_importer_v2.UbuntuOSVImporterPipeline, alpine_linux_importer_v2.AlpineLinuxImporterPipeline, + vcs_collector_importer_v2.VSCCollectorPipeline, github_importer.GitHubAPIImporterPipeline, gitlab_importer.GitLabImporterPipeline, github_osv.GithubOSVImporter, @@ -150,42 +153,5 @@ ubuntu_usn.UbuntuUSNImporter, fireeye.FireyeImporter, oss_fuzz.OSSFuzzImporter, - collect_fix_commits_v2.CollectLinuxFixCommitsPipeline, - collect_fix_commits_v2.CollectBusyBoxFixCommitsPipeline, - collect_fix_commits_v2.CollectNginxFixCommitsPipeline, - collect_fix_commits_v2.CollectApacheTomcatFixCommitsPipeline, - collect_fix_commits_v2.CollectMysqlServerFixCommitsPipeline, - collect_fix_commits_v2.CollectPostgresqlFixCommitsPipeline, - collect_fix_commits_v2.CollectMongodbFixCommitsPipeline, - collect_fix_commits_v2.CollectRedisFixCommitsPipeline, - collect_fix_commits_v2.CollectSqliteFixCommitsPipeline, - collect_fix_commits_v2.CollectPhpFixCommitsPipeline, - collect_fix_commits_v2.CollectPythonCpythonFixCommitsPipeline, - collect_fix_commits_v2.CollectRubyFixCommitsPipeline, - collect_fix_commits_v2.CollectGoFixCommitsPipeline, - collect_fix_commits_v2.CollectNodeJsFixCommitsPipeline, - collect_fix_commits_v2.CollectRustFixCommitsPipeline, - collect_fix_commits_v2.CollectOpenjdkFixCommitsPipeline, - collect_fix_commits_v2.CollectSwiftFixCommitsPipeline, - collect_fix_commits_v2.CollectDjangoFixCommitsPipeline, - collect_fix_commits_v2.CollectRailsFixCommitsPipeline, - collect_fix_commits_v2.CollectLaravelFixCommitsPipeline, - collect_fix_commits_v2.CollectSpringFrameworkFixCommitsPipeline, - collect_fix_commits_v2.CollectReactFixCommitsPipeline, - collect_fix_commits_v2.CollectAngularFixCommitsPipeline, - collect_fix_commits_v2.CollectWordpressFixCommitsPipeline, - collect_fix_commits_v2.CollectDockerMobyFixCommitsPipeline, - collect_fix_commits_v2.CollectKubernetesFixCommitsPipeline, - collect_fix_commits_v2.CollectQemuFixCommitsPipeline, - collect_fix_commits_v2.CollectXenProjectFixCommitsPipeline, - collect_fix_commits_v2.CollectVirtualboxFixCommitsPipeline, - collect_fix_commits_v2.CollectContainerdFixCommitsPipeline, - collect_fix_commits_v2.CollectAnsibleFixCommitsPipeline, - collect_fix_commits_v2.CollectTerraformFixCommitsPipeline, - collect_fix_commits_v2.CollectWiresharkFixCommitsPipeline, - collect_fix_commits_v2.CollectTcpdumpFixCommitsPipeline, - collect_fix_commits_v2.CollectGitFixCommitsPipeline, - collect_fix_commits_v2.CollectJenkinsFixCommitsPipeline, - collect_fix_commits_v2.CollectGitlabFixCommitsPipeline, ] ) diff --git a/vulnerabilities/pipelines/v2_importers/collect_fix_commits.py b/vulnerabilities/pipelines/v2_importers/collect_fix_commits.py deleted file mode 100644 index f57d3b61b..000000000 --- a/vulnerabilities/pipelines/v2_importers/collect_fix_commits.py +++ /dev/null @@ -1,186 +0,0 @@ -from vulnerabilities.pipes.vcs_collector_utils import CollectVCSFixCommitPipeline - - -class CollectLinuxFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_linux_fix_commits" - repo_url = "https://github.com/torvalds/linux" - - -class CollectBusyBoxFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_busybox_fix_commits" - repo_url = "https://github.com/mirror/busybox" - - -class CollectNginxFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_nginx_fix_commits" - repo_url = "https://github.com/nginx/nginx" - - -class CollectApacheTomcatFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_apache_tomcat_fix_commits" - repo_url = "https://github.com/apache/tomcat" - - -class CollectMysqlServerFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_mysql_server_fix_commits" - repo_url = "https://github.com/mysql/mysql-server" - - -class CollectPostgresqlFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_postgresql_fix_commits" - repo_url = "https://github.com/postgres/postgres" - - -class CollectMongodbFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_mongodb_fix_commits" - repo_url = "https://github.com/mongodb/mongo" - - -class CollectRedisFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_redis_fix_commits" - repo_url = "https://github.com/redis/redis" - - -class CollectSqliteFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_sqlite_fix_commits" - repo_url = "https://github.com/sqlite/sqlite" - - -class CollectPhpFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_php_fix_commits" - repo_url = "https://github.com/php/php-src" - - -class CollectPythonCpythonFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_python_cpython_fix_commits" - repo_url = "https://github.com/python/cpython" - - -class CollectRubyFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_ruby_fix_commits" - repo_url = "https://github.com/ruby/ruby" - - -class CollectGoFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_go_fix_commits" - repo_url = "https://github.com/golang/go" - - -class CollectNodeJsFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_node_js_fix_commits" - repo_url = "https://github.com/nodejs/node" - - -class CollectRustFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_rust_fix_commits" - repo_url = "https://github.com/rust-lang/rust" - - -class CollectOpenjdkFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_openjdk_fix_commits" - repo_url = "https://github.com/openjdk/jdk" - - -class CollectSwiftFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_swift_fix_commits" - repo_url = "https://github.com/swiftlang/swift" - - -class CollectDjangoFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_django_fix_commits" - repo_url = "https://github.com/django/django" - - -class CollectRailsFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_rails_fix_commits" - repo_url = "https://github.com/rails/rails" - - -class CollectLaravelFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_laravel_fix_commits" - repo_url = "https://github.com/laravel/framework" - - -class CollectSpringFrameworkFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_spring_framework_fix_commits" - repo_url = "https://github.com/spring-projects/spring-framework" - - -class CollectReactFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_react_fix_commits" - repo_url = "https://github.com/facebook/react" - - -class CollectAngularFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_angular_fix_commits" - repo_url = "https://github.com/angular/angular" - - -class CollectWordpressFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_wordpress_fix_commits" - repo_url = "https://github.com/WordPress/WordPress" - - -class CollectDockerMobyFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_docker_moby_fix_commits" - repo_url = "https://github.com/moby/moby" - - -class CollectKubernetesFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_kubernetes_fix_commits" - repo_url = "https://github.com/kubernetes/kubernetes" - - -class CollectQemuFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_qemu_fix_commits" - repo_url = "https://gitlab.com/qemu-project/qemu" - - -class CollectXenProjectFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_xen_project_fix_commits" - repo_url = "https://github.com/xen-project/xen" - - -class CollectVirtualboxFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_virtualbox_fix_commits" - repo_url = "https://github.com/mirror/vbox" - - -class CollectContainerdFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_containerd_fix_commits" - repo_url = "https://github.com/containerd/containerd" - - -class CollectAnsibleFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_ansible_fix_commits" - repo_url = "https://github.com/ansible/ansible" - - -class CollectTerraformFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_terraform_fix_commits" - repo_url = "https://github.com/hashicorp/terraform" - - -class CollectWiresharkFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_wireshark_fix_commits" - repo_url = "https://gitlab.com/wireshark/wireshark" - - -class CollectTcpdumpFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_tcpdump_fix_commits" - repo_url = "https://github.com/the-tcpdump-group/tcpdump" - - -class CollectGitFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_git_fix_commits" - repo_url = "https://github.com/git/git" - - -class CollectJenkinsFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_jenkins_fix_commits" - repo_url = "https://github.com/jenkinsci/jenkins" - - -class CollectGitlabFixCommitsPipeline(CollectVCSFixCommitPipeline): - pipeline_id = "collect_gitlab_fix_commits" - repo_url = "https://gitlab.com/gitlab-org/gitlab-foss" diff --git a/vulnerabilities/pipelines/v2_importers/vcs_collector_importer.py b/vulnerabilities/pipelines/v2_importers/vcs_collector_importer.py new file mode 100644 index 000000000..dafe9cf30 --- /dev/null +++ b/vulnerabilities/pipelines/v2_importers/vcs_collector_importer.py @@ -0,0 +1,160 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +from pathlib import Path +from typing import Iterable + +from fetchcode.vcs import fetch_via_vcs +from packageurl import PackageURL +from packageurl.contrib.purl2url import get_commit_url +from packageurl.contrib.url2purl import url2purl + +from vulnerabilities.importer import AdvisoryDataV2 +from vulnerabilities.importer import AffectedPackageV2 +from vulnerabilities.importer import PackageCommitPatchData +from vulnerabilities.importer import ReferenceV2 +from vulnerabilities.models import AdvisoryReference +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 +from vulnerabilities.utils import get_advisory_url + + +class VSCCollectorPipeline(VulnerableCodeBaseImporterPipelineV2): + """ + Pipeline to collect fix commits, pull requests, issues from List of git repositories. + """ + + pipeline_id = "vcs_collector_importer_v2" + + @classmethod + def steps(cls): + return ( + cls.clone, + cls.collect_and_store_advisories, + cls.clean_downloads, + ) + + def clone(self): + """Clone the repository.""" + self.repo_url = "git+https://github.com/aboutcode-data/vulnerablecode-vcs-collector" + self.log(f"Cloning `{self.repo_url}`") + self.vcs_response = fetch_via_vcs(self.repo_url) + + def advisories_count(self): + return 0 + + def collect_advisories_fix_commits(self): + """ + Generate AdvisoryData objects for each vulnerability ID grouped with its related commits. + """ + base_path = Path(self.vcs_response.dest_dir) + advisory_dir = base_path / "data" / "fix-commits" + for file in advisory_dir.rglob("*.json"): + with open(file) as f: + raw_data = json.load(f) + vcs_url = raw_data["vcs_url"] + purl = url2purl(vcs_url) + vulnerabilities = raw_data.get("vulnerabilities", {}) + advisory_url = get_advisory_url( + file=file, + base_path=base_path, + url="https://github.com/aboutcode-data/vulnerablecode-vcs-collector/blob/main/", + ) + + for vuln_id, commits_data in vulnerabilities.items(): + if not commits_data or not vuln_id: + continue + + summary = "" + affected_packages = [] + references = [] + for commit_hash, commit_message in commits_data.items(): + summary += f"{commit_hash}:{commit_message}\n" + + affected_package = AffectedPackageV2( + package=purl, + fixed_by_commit_patches=[ + PackageCommitPatchData(vcs_url=vcs_url, commit_hash=commit_hash) + ], + ) + affected_packages.append(affected_package) + + purl_with_commit_hash = PackageURL( + type=purl.type, + namespace=purl.namespace, + name=purl.name, + version=commit_hash, + qualifiers=purl.qualifiers, + ) + + ref_url = get_commit_url(purl=str(purl_with_commit_hash)) + if not ref_url: + continue + + references.append( + ReferenceV2( + reference_id=commit_hash, + reference_type=AdvisoryReference.COMMIT, + url=ref_url, + ) + ) + + yield AdvisoryDataV2( + advisory_id=vuln_id, + summary=summary, + affected_packages=affected_packages, + references=references, + url=advisory_url, + ) + + def collect_advisories_prs_and_issues(self): + """ + Generating AdvisoryData objects from GitHub/Gitlab issues and PRs. + """ + base_path = Path(self.vcs_response.dest_dir) + advisory_dir = base_path / "data" / "issues-prs" + for file in advisory_dir.rglob("*.json"): + with open(file) as f: + raw_data = json.load(f) + vulnerabilities = raw_data.get("vulnerabilities", {}) + advisory_url = get_advisory_url( + file=file, + base_path=base_path, + url="https://github.com/aboutcode-data/vulnerablecode-vcs-collector/blob/main/", + ) + + for vuln_id, vul_data in vulnerabilities.items(): + references = [ + ReferenceV2(reference_id=vuln_id, reference_type="Issues", url=url) + for url in vul_data["Issues"] + ] + references += [ + ReferenceV2(reference_id=vuln_id, reference_type="PRs", url=url) + for url in vul_data["PRs"] + ] + yield AdvisoryDataV2( + advisory_id=vuln_id, + aliases=[], + references=references, + url=advisory_url, + original_advisory_text=json.dumps(raw_data, indent=2, ensure_ascii=False), + ) + + def collect_advisories(self) -> Iterable[AdvisoryDataV2]: + yield from self.collect_advisories_fix_commits() + yield from self.collect_advisories_prs_and_issues() + + def clean_downloads(self): + """Cleanup any temporary repository data.""" + if self.vcs_response: + self.log(f"Removing cloned repository") + self.vcs_response.delete() + + def on_failure(self): + """Ensure cleanup is always performed on failure.""" + self.clean_downloads() diff --git a/vulnerabilities/pipes/vcs_collector_utils.py b/vulnerabilities/pipes/vcs_collector_utils.py index 54db73c1a..e69de29bb 100644 --- a/vulnerabilities/pipes/vcs_collector_utils.py +++ b/vulnerabilities/pipes/vcs_collector_utils.py @@ -1,154 +0,0 @@ -# -# Copyright (c) nexB Inc. and others. All rights reserved. -# VulnerableCode is a trademark of nexB Inc. -# SPDX-License-Identifier: Apache-2.0 -# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. -# See https://github.com/aboutcode-org/vulnerablecode for support or download. -# See https://aboutcode.org for more information about nexB OSS projects. -# - -import re -import shutil -import tempfile -from collections import defaultdict - -from git import Repo -from packageurl import PackageURL -from packageurl.contrib.purl2url import purl2url -from packageurl.contrib.url2purl import url2purl - -from vulnerabilities.importer import AdvisoryDataV2 -from vulnerabilities.importer import AffectedPackageV2 -from vulnerabilities.importer import PackageCommitPatchData -from vulnerabilities.importer import ReferenceV2 -from vulnerabilities.models import AdvisoryReference -from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 - - -class CollectVCSFixCommitPipeline(VulnerableCodeBaseImporterPipelineV2): - """ - Pipeline to collect fix commits from any git repository. - """ - - repo_url: str - patterns: list[str] = [ - r"\bCVE-\d{4}-\d{4,19}\b", - r"GHSA-[2-9cfghjmpqrvwx]{4}-[2-9cfghjmpqrvwx]{4}-[2-9cfghjmpqrvwx]{4}", - ] - - @classmethod - def steps(cls): - return ( - cls.clone, - cls.collect_and_store_advisories, - cls.clean_downloads, - ) - - def clone(self): - """Clone the repository.""" - self.repo = Repo.clone_from( - url=self.repo_url, - to_path=tempfile.mkdtemp(), - bare=True, - no_checkout=True, - multi_options=["--filter=blob:none"], - ) - - def advisories_count(self) -> int: - return 0 - - def extract_vulnerability_id(self, commit) -> list[str]: - """ - Extract vulnerability id from a commit message. - Returns a list of matched vulnerability IDs - """ - matches = [] - for pattern in self.patterns: - found = re.findall(pattern, commit.message, flags=re.IGNORECASE) - matches.extend(found) - return matches - - def collect_fix_commits(self): - """ - Iterate through repository commits and group them by vulnerability identifiers. - return a list with (vuln_id, [(commit_id, commit_message)]). - """ - self.log("Processing git repository fix commits (grouped by vulnerability IDs).") - - grouped_commits = defaultdict(list) - for commit in self.repo.iter_commits("--all"): - matched_ids = self.extract_vulnerability_id(commit) - if not matched_ids: - continue - - commit_id = commit.hexsha - commit_message = commit.message.strip() - - for vuln_id in matched_ids: - grouped_commits[vuln_id].append((commit_id, commit_message)) - - self.log(f"Found {len(grouped_commits)} vulnerabilities with related commits.") - self.log("Finished processing all commits.") - return grouped_commits - - def collect_advisories(self): - """ - Generate AdvisoryData objects for each vulnerability ID grouped with its related commits. - """ - self.log("Generating AdvisoryData objects from grouped commits.") - grouped_commits = self.collect_fix_commits() - purl = url2purl(self.repo_url) - for vuln_id, commits_data in grouped_commits.items(): - - if not commits_data or not vuln_id: - continue - - summary = "" - commit_hash_set = set() - for commit_hash, commit_message in commits_data: - summary += f"{commit_hash}:{commit_message}\n" - commit_hash_set.add(commit_hash) - - affected_packages = [] - references = [] - for commit_hash in commit_hash_set: - affected_package = AffectedPackageV2( - package=purl, - fixed_by_commit_patches=[ - PackageCommitPatchData(vcs_url=self.repo_url, commit_hash=commit_hash) - ], - ) - affected_packages.append(affected_package) - - purl_with_commit_hash = PackageURL( - type=purl.type, namespace=purl.namespace, name=purl.name, version=commit_hash - ) - ref_url = purl2url(purl=str(purl_with_commit_hash)) - if not ref_url: - continue - - references.append( - ReferenceV2( - reference_id=commit_hash, - reference_type=AdvisoryReference.COMMIT, - url=ref_url, - ) - ) - - yield AdvisoryDataV2( - advisory_id=vuln_id, - summary=summary, - affected_packages=affected_packages, - references=references, - url=self.repo_url, - ) - - def clean_downloads(self): - """Cleanup any temporary repository data.""" - self.log("Cleaning up local repository resources.") - if hasattr(self, "repo") and self.repo.working_dir: - shutil.rmtree(path=self.repo.working_dir) - - def on_failure(self): - """Ensure cleanup is always performed on failure.""" - self.clean_downloads() diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_collect_fix_commit.py b/vulnerabilities/tests/pipelines/v2_importers/test_collect_fix_commit.py deleted file mode 100644 index 9a687a3b7..000000000 --- a/vulnerabilities/tests/pipelines/v2_importers/test_collect_fix_commit.py +++ /dev/null @@ -1,124 +0,0 @@ -# -# Copyright (c) nexB Inc. and others. All rights reserved. -# VulnerableCode is a trademark of nexB Inc. -# SPDX-License-Identifier: Apache-2.0 -# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. -# See https://github.com/aboutcode-org/vulnerablecode for support or download. -# See https://aboutcode.org for more information about nexB OSS projects. -# - -import json -from pathlib import Path -from unittest import TestCase -from unittest.mock import MagicMock -from unittest.mock import patch - -import pytest - -from vulnerabilities.pipes.vcs_collector_utils import CollectVCSFixCommitPipeline -from vulnerabilities.tests import util_tests - - -@pytest.fixture -def pipeline(): - pipeline = CollectVCSFixCommitPipeline() - pipeline.repo_url = "https://github.com/test/repo" - pipeline.pipeline_id = "collect_repo_fix_commits" - pipeline.log = MagicMock() - return pipeline - - -def test_classify_commit_type_extracts_ids(pipeline): - class DummyCommit: - message = "Fix for CVE-2023-1234 and GHSA-2479-qvv7-47qq" - - result = pipeline.extract_vulnerability_id(DummyCommit) - assert result == ["CVE-2023-1234", "GHSA-2479-qvv7-47qq"] - - -@patch("vulnerabilities.pipes.vcs_collector_utils.Repo") -def test_collect_fix_commits_groups_by_vuln(mock_repo, pipeline): - commit1 = MagicMock(message="Fix CVE-2021-0001", hexsha="abc123") - commit2 = MagicMock(message="Patch GHSA-f72r-2h5j-7639", hexsha="def456") - commit3 = MagicMock( - message="Patch GHSA-5w93-4g67-mm43", hexsha="Github Advisory: GHSA-5w93-4g67-mm43" - ) - commit4 = MagicMock(message="Unrelated change", hexsha="ghi789") - - pipeline.repo = MagicMock() - pipeline.repo.iter_commits.return_value = [commit1, commit2, commit3, commit4] - - pipeline.classify_commit_type = MagicMock( - side_effect=lambda c: ( - ["CVE-2021-0001"] - if "CVE" in c.message - else ["GHSA-dead-beef-baad"] if "GHSA" in c.message else [] - ) - ) - - grouped = pipeline.collect_fix_commits() - - expected = { - "CVE-2021-0001": [("abc123", "Fix CVE-2021-0001")], - "GHSA-5w93-4g67-mm43": [ - ("Github Advisory: GHSA-5w93-4g67-mm43", "Patch GHSA-5w93-4g67-mm43") - ], - "GHSA-f72r-2h5j-7639": [("def456", "Patch GHSA-f72r-2h5j-7639")], - } - - assert grouped == expected - - -TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "fix_commits" - - -class TestRepoFixCommitPipeline(TestCase): - def test_collect_advisories_from_json(self): - input_file = TEST_DATA / "grouped_commits_input.json" - expected_file = TEST_DATA / "expected_linux_advisory_output.json" - - grouped_commits = json.loads(input_file.read_text(encoding="utf-8")) - - pipeline = CollectVCSFixCommitPipeline() - pipeline.repo_url = "https://github.com/test/repo" - pipeline.log = MagicMock() - pipeline.collect_fix_commits = MagicMock(return_value=grouped_commits) - - result = [adv.to_dict() for adv in pipeline.collect_advisories()] - - util_tests.check_results_against_json(result, expected_file) - - -@pytest.mark.parametrize( - "commit_message, expected_ids", - [ - ("Fix CVE-2023-12345 buffer overflow", ["CVE-2023-12345"]), - ("Address GHSA-4486-gxhx-5mg7 report", ["GHSA-4486-gxhx-5mg7"]), - ( - "Fix CVE-2023-1111 and GHSA-gch2-phqh-fg9q in kernel", - ["CVE-2023-1111", "GHSA-gch2-phqh-fg9q"], - ), - ("Refactor logging system with no security ID", []), - ], -) -def test_classify_commit_type_detects_vuln_ids(pipeline, commit_message, expected_ids): - """Ensure classify_commit_type correctly extracts vulnerability IDs.""" - - class DummyCommit: - def __init__(self, message): - self.message = message - - commit = DummyCommit(commit_message) - result = pipeline.extract_vulnerability_id(commit) - - assert result == expected_ids, f"Unexpected result for message: {commit_message}" - - -def test_classify_commit_type_case_insensitive(pipeline): - """Ensure pattern matching is case-insensitive.""" - - class DummyCommit: - message = "fix CVE-2022-9999 and GHSA-gqgv-6jq5-jjj9" - - result = pipeline.extract_vulnerability_id(DummyCommit) - assert result == ["CVE-2022-9999", "GHSA-gqgv-6jq5-jjj9"] diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_vcs_collector_importer.py b/vulnerabilities/tests/pipelines/v2_importers/test_vcs_collector_importer.py new file mode 100644 index 000000000..8bb6f8416 --- /dev/null +++ b/vulnerabilities/tests/pipelines/v2_importers/test_vcs_collector_importer.py @@ -0,0 +1,51 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import os +from pathlib import Path +from types import SimpleNamespace +from unittest import TestCase +from unittest.mock import patch + +from vulnerabilities.pipelines.v2_importers.vcs_collector_importer import VSCCollectorPipeline +from vulnerabilities.tests import util_tests + +TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "vcs_collector" + + +class TestVSCCollectorPipeline(TestCase): + @patch( + "vulnerabilities.pipelines.v2_importers.vcs_collector_importer.get_advisory_url", + return_value="https://mocked.url/advisory", + ) + @patch("vulnerabilities.pipelines.v2_importers.vcs_collector_importer.Path.rglob") + def test_fix_commits_data(self, mock_rglob, mock_get_advisory_url): + pipeline = VSCCollectorPipeline() + pipeline.vcs_response = SimpleNamespace(dest_dir=TEST_DATA) + mock_input_file = Path(TEST_DATA) / "fix_commits_test_repo.json" + mock_rglob.return_value = [mock_input_file] + expected_file = os.path.join(TEST_DATA, "expected_fix_commits_output.json") + result = [adv.to_dict() for adv in pipeline.collect_advisories_fix_commits()] + result.sort(key=lambda x: x["advisory_id"]) + util_tests.check_results_against_json(result, expected_file) + + @patch( + "vulnerabilities.pipelines.v2_importers.vcs_collector_importer.get_advisory_url", + return_value="https://mocked.url/advisory", + ) + @patch("vulnerabilities.pipelines.v2_importers.vcs_collector_importer.Path.rglob") + def test_issue_prs_data(self, mock_rglob, mock_get_advisory_url): + pipeline = VSCCollectorPipeline() + pipeline.vcs_response = SimpleNamespace(dest_dir=TEST_DATA) + mock_input_file = Path(TEST_DATA) / "pr_issues_test_repo.json" + mock_rglob.return_value = [mock_input_file] + expected_file = os.path.join(TEST_DATA, "expected_pr_issues_output.json") + result = [adv.to_dict() for adv in pipeline.collect_advisories_prs_and_issues()] + result.sort(key=lambda x: x["advisory_id"]) + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/fix_commits/expected_linux_advisory_output.json b/vulnerabilities/tests/test_data/fix_commits/expected_linux_advisory_output.json deleted file mode 100644 index ee580b4fe..000000000 --- a/vulnerabilities/tests/test_data/fix_commits/expected_linux_advisory_output.json +++ /dev/null @@ -1,82 +0,0 @@ -[ - { - "advisory_id": "CVE-2021-0001", - "aliases": [], - "summary": "41b43c74bda19753c757036673ea9db74acf494a:Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.", - "affected_packages": [ - { - "package": { - "type": "github", - "namespace": "test", - "name": "repo", - "version": "", - "qualifiers": "", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version_range": null, - "introduced_by_commit_patches": [], - "fixed_by_commit_patches": [ - { - "vcs_url": "https://github.com/test/repo", - "commit_hash": "41b43c74bda19753c757036673ea9db74acf494a", - "patch_text": null, - "patch_checksum": null - } - ] - } - ], - "references": [ - { - "reference_id": "41b43c74bda19753c757036673ea9db74acf494a", - "reference_type": "commit", - "url": "https://github.com/test/repo/tree/41b43c74bda19753c757036673ea9db74acf494a" - } - ], - "patches": [], - "severities": [], - "date_published": null, - "weaknesses": [], - "url": "https://github.com/test/repo" - }, - { - "advisory_id": "GHSA-dead-beef-baad", - "aliases": [], - "summary": "49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba:Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().", - "affected_packages": [ - { - "package": { - "type": "github", - "namespace": "test", - "name": "repo", - "version": "", - "qualifiers": "", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version_range": null, - "introduced_by_commit_patches": [], - "fixed_by_commit_patches": [ - { - "vcs_url": "https://github.com/test/repo", - "commit_hash": "49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba", - "patch_text": null, - "patch_checksum": null - } - ] - } - ], - "references": [ - { - "reference_id": "49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba", - "reference_type": "commit", - "url": "https://github.com/test/repo/tree/49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba" - } - ], - "patches": [], - "severities": [], - "date_published": null, - "weaknesses": [], - "url": "https://github.com/test/repo" - } -] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/fix_commits/grouped_commits_input.json b/vulnerabilities/tests/test_data/fix_commits/grouped_commits_input.json deleted file mode 100644 index f905c9710..000000000 --- a/vulnerabilities/tests/test_data/fix_commits/grouped_commits_input.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "CVE-2021-0001": [ - ["41b43c74bda19753c757036673ea9db74acf494a", "Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB."] - ], - "GHSA-dead-beef-baad": [ - ["49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba", "Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags()."] - ] -} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/vcs_collector/expected_fix_commits_output.json b/vulnerabilities/tests/test_data/vcs_collector/expected_fix_commits_output.json new file mode 100644 index 000000000..cf5493da7 --- /dev/null +++ b/vulnerabilities/tests/test_data/vcs_collector/expected_fix_commits_output.json @@ -0,0 +1,3998 @@ +[ + { + "advisory_id": "CVE-2015-2104", + "aliases": [], + "summary": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb:thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg \n87d60a1fff48dd4997e5e281fd7cc9ad2896ed44:thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/319e2231b8db60100a70d8fc0fbc1e5621d8d0cb" + }, + { + "reference_id": "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/87d60a1fff48dd4997e5e281fd7cc9ad2896ed44" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-4426", + "aliases": [], + "summary": "07fc47f95344852658d65b63316be0123ac48416:CVE-2016-4426: Fix non-admin users having access to all bot API keys.\n\nLong ago, there was work on an experimental integration model where\nevery user in a realm would have administrative control over all bots,\nwith the goal of simplifying the process of setting up communally\nadministered bots for smaller teams. While that new model was never\nfully implemented (and thus never setup as an option), an error in\nthat original implementation meant that the data on all bots in a\nrealm, including their API keys, was sent to the browsers of users via\nthe `realm_bots` variable in `page_params`. The data wasn't displayed\nin the UI for non-admin users, but was available via e.g. the\njavascript console.\n\nThis commit updates this behavior to only send sensitive bot data like\nAPI keys to the owner of the bot (and realm admins).\n\nWe may in the future implement a model simplifying communally\nadministered integrations, but if we do that, those bots should be\nlimited in their capabilities (e.g. only able to send webhook\nmessages).\n\nThis bug has been present since Zulip was released as open source.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "07fc47f95344852658d65b63316be0123ac48416", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "07fc47f95344852658d65b63316be0123ac48416", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/07fc47f95344852658d65b63316be0123ac48416" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-4427", + "aliases": [], + "summary": "b28b3cd65cae038d09732db9a3697f520818168e:CVE-2016-4427: Fix access by deactivated realms/users.\n\nThe security model for deactivated users (and users in deactivated\nrealms) being unable to access the service is intended to work via two\nmechanisms:\n\n* All active user sessions are deleted, and all login code paths\n (where a user could get a new session) check whether the user (or\n realm) is inactive before authorizing the request, preventing the\n user from accessing the website and AJAX endpoints.\n* All API code paths (which don't require a session) check whether the\n user (and realm) are active.\n\nHowever, this security model was not implemented correctly. In\nparticular, the check for whether a user has an active account in the\nlogin process was done inside the login form's validators, which meant\nthat authentication mechanisms that did not use the login form\n(e.g. Google and REMOTE_USER auth) could succeed in granting a session\neven with an inactive account. The Zulip homepage would still fail to\nload because the code for / includes an API call to Tornado authorized\nby the user's token that would fail, but this mechanism could allow an\ninactive user to access realm data or users to access data in a\ndeactivated realm.\n\nThis fixes the issue by adding explicit checks for inactive users and\ninactive realms in all authentication backends (even those that were\nalready protected by the login form validator).\n\nMirror dummy users are already inactive, so we can remove the explicit\ncode around mirror dummy users.\n\nThe following commits add a complete set of tests for Zulip's inactive\nuser and realm security model.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b28b3cd65cae038d09732db9a3697f520818168e", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "b28b3cd65cae038d09732db9a3697f520818168e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b28b3cd65cae038d09732db9a3697f520818168e" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-0881", + "aliases": [], + "summary": "0af34ee71078633dcb960995f4adfd3f7293c1f3:streams: Add zerver/lib/streams.py library for security checks.\n\nThe goal of this library is to make it a lot easier to prevent bugs\nlike CVE-2017-0881 by having all of our views logic for fetching a\nstream go through a couple carefully tested code paths.\n7ecda1ac8e26d8fb3725e954b2dc4723dda2255f:streams: Fix autosubscribe security bug (CVE-2017-0881).\n\nA bug in Zulip's implementation of the \"stream exists\" endpoint meant\nthat any user of a Zulip server could subscribe to an invite-only\nstream without needing to be invited by using the \"autosubscribe\"\nargument.\n\nThanks to Rafid Aslam for discovering this issue.\n1cdd451d703a9c1b0a395d81dacadbf5c4d85277:streams: Fix autosubscribe security bug (CVE-2017-0881).\n\nA bug in Zulip's implementation of the \"stream exists\" endpoint meant\nthat any user of a Zulip server could subscribe to an invite-only\nstream without needing to be invited by using the \"autosubscribe\"\nargument.\n\nThanks to Rafid Aslam for discovering this issue.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "0af34ee71078633dcb960995f4adfd3f7293c1f3", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "7ecda1ac8e26d8fb3725e954b2dc4723dda2255f", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1cdd451d703a9c1b0a395d81dacadbf5c4d85277", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "0af34ee71078633dcb960995f4adfd3f7293c1f3", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/0af34ee71078633dcb960995f4adfd3f7293c1f3" + }, + { + "reference_id": "7ecda1ac8e26d8fb3725e954b2dc4723dda2255f", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f" + }, + { + "reference_id": "1cdd451d703a9c1b0a395d81dacadbf5c4d85277", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1cdd451d703a9c1b0a395d81dacadbf5c4d85277" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-0896", + "aliases": [], + "summary": "1f48fa27672170bba3b9a97384905bb04c18761b:invite: Fix invite_by_admins_only to be enforced in backend.\n\nThis is CVE-2017-0896.\n\nApparently, this setting never actually was wired up to anything other\nthan hiding the UI widget.\n\nHuge thanks to Ibram Marzouk from the HackerOne community for finding\nthis security bug.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1f48fa27672170bba3b9a97384905bb04c18761b", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "1f48fa27672170bba3b9a97384905bb04c18761b", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-0910", + "aliases": [], + "summary": "d4ee3023b2fbc8af9a220df130097e9497dad5b5:registration: Require an explicit realm on PreregistrationUser.\n\nThis completes the last commit's work to fix CVE-2017-0910, applying\nto any invite links already created before the fix was deployed. With\nthis change, all new-user registrations must match an explicit realm\nin the PreregistrationUser row, except when creating a new realm.\n\n[greg: rewrote commit message]\n985768b2fdcf4c1e7228951baab7c25239c6a7f6:registration: Check realm against PreregistrationUser realm.\n\nWe would allow a user with a valid invitation for one realm to use it\non a different realm instead. On a server with multiple realms, an\nauthorized user of one realm could use this (by sending invites to\nother email addresses they control) to create accounts on other\nrealms. (CVE-2017-0910)\n\nWith this commit, when sending an invitation, we record the inviting\nuser's realm on the PreregistrationUser row; and when registering a\nuser, we check that the PregistrationUser realm matches the realm the\nuser is trying to register on. This resolves CVE-2017-0910 for\nnewly-sent invitations; the next commit completes the fix.\n\n[greg: rewrote commit message]\n960d736e55cbb9386a68e4ee45f80581fd2a4e32:registration: Require an explicit realm on PreregistrationUser.\n\nThis completes the last commit's work to fix CVE-2017-0910, applying\nto any invite links already created before the fix was deployed. With\nthis change, all new-user registrations must match an explicit realm\nin the PreregistrationUser row, except when creating a new realm.\n\n[greg: rewrote commit message]\n28a3dcf787b489d155bd27765f1aed5e7a1f44a9:registration: Check realm against PreregistrationUser realm.\n\nWe would allow a user with a valid invitation for one realm to use it\non a different realm instead. On a server with multiple realms, an\nauthorized user of one realm could use this (by sending invites to\nother email addresses they control) to create accounts on other\nrealms. (CVE-2017-0910)\n\nWith this commit, when sending an invitation, we record the inviting\nuser's realm on the PreregistrationUser row; and when registering a\nuser, we check that the PregistrationUser realm matches the realm the\nuser is trying to register on. This resolves CVE-2017-0910 for\nnewly-sent invitations; the next commit completes the fix.\n\n[greg: rewrote commit message]", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "d4ee3023b2fbc8af9a220df130097e9497dad5b5", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "985768b2fdcf4c1e7228951baab7c25239c6a7f6", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "960d736e55cbb9386a68e4ee45f80581fd2a4e32", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "28a3dcf787b489d155bd27765f1aed5e7a1f44a9", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "d4ee3023b2fbc8af9a220df130097e9497dad5b5", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/d4ee3023b2fbc8af9a220df130097e9497dad5b5" + }, + { + "reference_id": "985768b2fdcf4c1e7228951baab7c25239c6a7f6", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/985768b2fdcf4c1e7228951baab7c25239c6a7f6" + }, + { + "reference_id": "960d736e55cbb9386a68e4ee45f80581fd2a4e32", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/960d736e55cbb9386a68e4ee45f80581fd2a4e32" + }, + { + "reference_id": "28a3dcf787b489d155bd27765f1aed5e7a1f44a9", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/28a3dcf787b489d155bd27765f1aed5e7a1f44a9" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-9986", + "aliases": [], + "summary": "3bdc8bbaa51ced2c241da6107ec8b3604ebb2853:CVE-2018-9986: Fix XSS issues with frontend markdown processor.\n\nThis fixes a set of XSS issues with Zulip's frontend markdown\nprocessor, which is used in a limited set of contexts, such as local\necho of messages and the drafts feature.\n\nThe implementation of several syntax elements, including the \nsyntax, user and stream mentions, and some others failed to properly\nescape the content inside the syntax.\n\nFix this, and add tests for each corrected code path.\n\nThanks to w2w for reporting this issue.\n4192276aa3f07d75143583441bbea448fbf38c13:CVE-2018-9986: Fix XSS issues with frontend markdown processor.\n\nThis fixes a set of XSS issues with Zulip's frontend markdown\nprocessor, which is used in a limited set of contexts, such as local\necho of messages and the drafts feature.\n\nThe implementation of several syntax elements, including the \nsyntax, user and stream mentions, and some others failed to properly\nescape the content inside the syntax.\n\nFix this, and add tests for each corrected code path.\n\nThanks to w2w for reporting this issue.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3bdc8bbaa51ced2c241da6107ec8b3604ebb2853", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "4192276aa3f07d75143583441bbea448fbf38c13", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "3bdc8bbaa51ced2c241da6107ec8b3604ebb2853", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3bdc8bbaa51ced2c241da6107ec8b3604ebb2853" + }, + { + "reference_id": "4192276aa3f07d75143583441bbea448fbf38c13", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/4192276aa3f07d75143583441bbea448fbf38c13" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-9987", + "aliases": [], + "summary": "1207a08b36c7696397855ef7fd6ae6cff2c8c4be:CVE-2018-9987: Fix XSS issue with muting notifications.\n\nThis fixes an XSS issue with Zulip's muting UI, where if a stream or\ntopic name contained malicious HTML containing JavaScript, and the\nuser did a muting interaction, the malicious JavaScript could run when\nrendering the \"you just muted a topic\" notification.\n\nWe did an audit for similarly problematic use of `.html`, and found\nnone; for the next release we'll be merging a series of changes to our\nlinter to prevent future instances of this being added.\n\nThanks to Suhas Sunil Gaikwad for reporting this issue.\nf055a7d133ed6a4060485b4abea295210fbe1af0:CVE-2018-9987: Fix XSS issue with muting notifications.\n\nThis fixes an XSS issue with Zulip's muting UI, where if a stream or\ntopic name contained malicious HTML containing JavaScript, and the\nuser did a muting interaction, the malicious JavaScript could run when\nrendering the \"you just muted a topic\" notification.\n\nWe did an audit for similarly problematic use of `.html`, and found\nnone; for the next release we'll be merging a series of changes to our\nlinter to prevent future instances of this being added.\n\nThanks to Suhas Sunil Gaikwad for reporting this issue.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1207a08b36c7696397855ef7fd6ae6cff2c8c4be", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "f055a7d133ed6a4060485b4abea295210fbe1af0", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "1207a08b36c7696397855ef7fd6ae6cff2c8c4be", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1207a08b36c7696397855ef7fd6ae6cff2c8c4be" + }, + { + "reference_id": "f055a7d133ed6a4060485b4abea295210fbe1af0", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/f055a7d133ed6a4060485b4abea295210fbe1af0" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-9990", + "aliases": [], + "summary": "65b9d9e0f32fbaad722435726ec3b4afae14f8a7:CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\n\nZulip's search typeahead had a security bug, where when autocompleting\na specially crafted stream name, and then hitting space, code within\nthe stream name would be executed.\n\nZulip was doing HTML escaping correctly in the main code path using\nFilter.describe to describe a narrow, but the escaping function was\nnot called in a few parallel code paths. We fix this in a way that\nshould protect all of these code paths, by making Filter.describe\nreturn properly escaped HTML, rather than depending on its callers to\ndo so.\n\nThanks to w2w for reporting this issue.\nba528f9345a7c2891a0cbc52a8e103661fc2a870:CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\n\nZulip's search typeahead had a security bug, where when autocompleting\na specially crafted stream name, and then hitting space, code within\nthe stream name would be executed.\n\nZulip was doing HTML escaping correctly in the main code path using\nFilter.describe to describe a narrow, but the escaping function was\nnot called in a few parallel code paths. We fix this in a way that\nshould protect all of these code paths, by making Filter.describe\nreturn properly escaped HTML, rather than depending on its callers to\ndo so.\n\nThanks to w2w for reporting this issue.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "65b9d9e0f32fbaad722435726ec3b4afae14f8a7", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "ba528f9345a7c2891a0cbc52a8e103661fc2a870", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "65b9d9e0f32fbaad722435726ec3b4afae14f8a7", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/65b9d9e0f32fbaad722435726ec3b4afae14f8a7" + }, + { + "reference_id": "ba528f9345a7c2891a0cbc52a8e103661fc2a870", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/ba528f9345a7c2891a0cbc52a8e103661fc2a870" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-9999", + "aliases": [], + "summary": "8813c7b542497935018ed9efc897b12b49faf189:CVE-2018-9999: Fix XSS issue with user uploads.\n\nThis adds a basic Content-Security-Policy for user-uploaded files\nserved by the LOCAL_UPLOADS backend.\n\nThe local uploads backend is designed to share a domain with the main\nZulip site, and thus without this fix, it can be used for XSS attacks\nwith access to the user's Zulip cookies.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "8813c7b542497935018ed9efc897b12b49faf189", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "8813c7b542497935018ed9efc897b12b49faf189", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/8813c7b542497935018ed9efc897b12b49faf189" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-16215", + "aliases": [], + "summary": "5797f013b3be450c146a4141514bda525f2f1b51:CVE-2019-16215: Fix DoS vulnerability in Markdown LINK_RE.\n\nAny regex including a match-everything subpattern (.*, .*?, .+, or\n.+?) is almost automatically wrong because it fails to disambiguate\nwhen one subpattern should end and another should begin. Among other\nbugs, these kind of regexes tend to be especially prone to denial of\nservice vulnerabilities through catastrophic backtracking on strings\nthat fail to match in a large (in this case, exponential) number of\nways.\n\nLacking a specification to say what characters should actually be\nallowed in these subpatterns (this syntax is too different from\nCommonMark to be able to precisely apply those rules), I\u2019ve tried to\nmake reasonable guesses and avoid changing much else.\n\nBecause Zulip doesn't store messages until they have successfully been\nprocessed by the Markdown processor, this is not a stored DoS issue.\n\nIn general, Zulip protects against the broad category of DoS issues in\nMarkdown rendering via a timeout managed by another thread. However,\ndetails of Python's regular expression implementation mean that this\nparticular issue could prevent the timeout thread from being\nscheduled, resulting in this being a DoS issue.\n\nThis was fixed in master a few months ago as a side effect of\nabe2dab88ca96786bb32dea6caab873819b8c482 (#12979).\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "5797f013b3be450c146a4141514bda525f2f1b51", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "5797f013b3be450c146a4141514bda525f2f1b51", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/5797f013b3be450c146a4141514bda525f2f1b51" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-16216", + "aliases": [], + "summary": "1195841dfb9aa26b3b0dabc6f05d72e4af25be3e:CVE-2019-16216: Fix MIME type validation.\n\n* Whitelist a small number of image/ types to be served as\n non-attachments.\n* Serve the file using the type that we validated rather than relying\n on an independent guess to match.\n\nThis issue can lead to a stored XSS security vulnerability for older\nbrowsers that don't support Content-Security-Policy.\n\nIt primarily affects servers using Zulip's local file uploads backend\nfor servers running Ubuntu 16.04 Xenial or newer; the legacy local\nfile upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected\nand it has limited impact for the S3 upload backend (which uses an\nunprivileged S3 bucket domain to serve files).\n\nThis was fixed in master via 780ecb672b9324ba879056240089e14539cda6e4.\n\nSigned-off-by: Anders Kaseorg \n780ecb672b9324ba879056240089e14539cda6e4:CVE-2019-16216: Fix MIME type validation.\n\n* Whitelist a small number of image/ types to be served as\n non-attachments.\n* Serve the file using the type that we validated rather than relying\n on an independent guess to match.\n\nThis issue can lead to a stored XSS security vulnerability for older\nbrowsers that don't support Content-Security-Policy.\n\nIt primarily affects servers using Zulip's local file uploads backend\nfor servers running Ubuntu 16.04 Xenial or newer; the legacy local\nfile upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected\nand it has limited impact for the S3 upload backend (which uses an\nunprivileged S3 bucket domain to serve files).\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1195841dfb9aa26b3b0dabc6f05d72e4af25be3e", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "780ecb672b9324ba879056240089e14539cda6e4", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "1195841dfb9aa26b3b0dabc6f05d72e4af25be3e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1195841dfb9aa26b3b0dabc6f05d72e4af25be3e" + }, + { + "reference_id": "780ecb672b9324ba879056240089e14539cda6e4", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/780ecb672b9324ba879056240089e14539cda6e4" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-18933", + "aliases": [], + "summary": "0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6:CVE-2019-18933: Fix insecure account creation via social authentication.\n\nA bug in Zulip's new user signup process meant that users who\nregistered their account using social authentication (e.g. GitHub or\nGoogle SSO) in an organization that also allows password\nauthentication could have their personal API key stolen by an\nunprivileged attacker, allowing nearly full access to the user's\naccount.\n\nZulip versions between 1.7.0 and 2.0.6 were affected.\n\nThis commit fixes the original bug and also contains a database\nmigration to fix any users with corrupt `password` fields in the\ndatabase as a result of the bug.\n\nOut of an abundance of caution (and to protect the users of any\ninstallations that delay applying this commit), the migration also\nresets the API keys of any users where Zulip's logs cannot prove the\nuser's API key was not previously stolen via this bug. Resetting\nthose API keys will be inconvenient for users:\n\n* Users of the Zulip mobile and terminal apps whose API keys are reset\n will be logged out and need to login again.\n* Users using their personal API keys for any other reason will need\n to re-fetch their personal API key.\n\nWe discovered this bug internally and don't believe it was disclosed\nprior to our publishing it through this commit. Because the algorithm\nfor determining which users might have been affected is very\nconservative, many users who were never at risk will have their API\nkeys reset by this migration.\n\nTo avoid this on self-hosted installations that have always used\ne.g. LDAP authentication, we skip resetting API keys on installations\nthat don't have password authentication enabled. System\nadministrators on installations that used to have email authentication\nenabled, but no longer do, should temporarily enable EmailAuthBackend\nbefore applying this migration.\n\nThe migration also records which users had their passwords or API keys\nreset in the usual RealmAuditLog table.\n1cdec46aa95dc4b9ea75e9092ef0cfb98809672f:CVE-2019-18933: Fix insecure account creation via social authentication.\n\nBackported for 2.0.7 security release.\n\nA bug in Zulip's new user signup process meant that users who\nregistered their account using social authentication (e.g. GitHub or\nGoogle SSO) in an organization that also allows password\nauthentication could have their personal API key stolen by an\nunprivileged attacker, allowing nearly full access to the user's\naccount.\n\nZulip versions between 1.7.0 and 2.0.6 were affected.\n\nThis commit fixes the original bug and also contains a database\nmigration to fix any users with corrupt `password` fields in the\ndatabase as a result of the bug.\n\nOut of an abundance of caution (and to protect the users of any\ninstallations that delay applying this commit), the migration also\nresets the API keys of any users where Zulip's logs cannot prove the\nuser's API key was not previously stolen via this bug. Resetting\nthose API keys will be inconvenient for users:\n\n* Users of the Zulip mobile and terminal apps whose API keys are reset\n will be logged out and need to login again.\n* Users using their personal API keys for any other reason will need\n to re-fetch their personal API key.\n\nWe discovered this bug internally and don't believe it was disclosed\nprior to our publishing it through this commit. Because the algorithm\nfor determining which users might have been affected is very\nconservative, many users who were never at risk will have their API\nkeys reset by this migration.\n\nTo avoid this on self-hosted installations that have always used\ne.g. LDAP authentication, we skip resetting API keys on installations\nthat don't have password authentication enabled. System\nadministrators on installations that used to have email authentication\nenabled, but no longer do, should temporarily enable EmailAuthBackend\nbefore applying this migration.\n\nThe migration also records which users had their passwords or API keys\nreset in the usual RealmAuditLog table.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1cdec46aa95dc4b9ea75e9092ef0cfb98809672f", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6" + }, + { + "reference_id": "1cdec46aa95dc4b9ea75e9092ef0cfb98809672f", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1cdec46aa95dc4b9ea75e9092ef0cfb98809672f" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-19775", + "aliases": [], + "summary": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb:thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg \n87d60a1fff48dd4997e5e281fd7cc9ad2896ed44:thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg \n8e37862b693799e69a4bb690cb36d98d0b6c8790:CVE-2019-19775: Close open redirect in thumbnail view.\n\nThis closes an open redirect vulnerability, one case of which was\nfound by Graham Bleaney and Ibrahim Mohamed using Pysa.\n\nSigned-off-by: Anders Kaseorg \nb7c87a4d82397a5e6ac169b6098bed0b1ae7a583:CVE-2019-19775: Close open redirect in thumbnail view.\n\nThis closes an open redirect vulnerability, one case of which was\nfound by Graham Bleaney and Ibrahim Mohamed using Pysa.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "8e37862b693799e69a4bb690cb36d98d0b6c8790", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b7c87a4d82397a5e6ac169b6098bed0b1ae7a583", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/319e2231b8db60100a70d8fc0fbc1e5621d8d0cb" + }, + { + "reference_id": "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/87d60a1fff48dd4997e5e281fd7cc9ad2896ed44" + }, + { + "reference_id": "8e37862b693799e69a4bb690cb36d98d0b6c8790", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/8e37862b693799e69a4bb690cb36d98d0b6c8790" + }, + { + "reference_id": "b7c87a4d82397a5e6ac169b6098bed0b1ae7a583", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b7c87a4d82397a5e6ac169b6098bed0b1ae7a583" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-10935", + "aliases": [], + "summary": "2d4530854673d78d2212ec91523135452dbd75fb:CVE-2020-10935: Fix XSS vulnerability in local link rewriting.\n\nMake sure rewrite_local_links_to_relative does not accidentally change\nthe meaning of links.\n\nSigned-off-by: Anders Kaseorg \n64856d858e2afcc028d368d58c442757ac28ee51:CVE-2020-10935: Fix XSS vulnerability in local link rewriting.\n\nMake sure rewrite_local_links_to_relative does not accidentally change\nthe meaning of links.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "2d4530854673d78d2212ec91523135452dbd75fb", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "64856d858e2afcc028d368d58c442757ac28ee51", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "2d4530854673d78d2212ec91523135452dbd75fb", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/2d4530854673d78d2212ec91523135452dbd75fb" + }, + { + "reference_id": "64856d858e2afcc028d368d58c442757ac28ee51", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/64856d858e2afcc028d368d58c442757ac28ee51" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-12759", + "aliases": [], + "summary": "83380b42969a4a42f3a90d3be00bf39e6d6f6e23:CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.\n\nAlso check the challenge argument\u2019s presence before using it.\n\nSigned-off-by: Anders Kaseorg \n87f7874a79abe5be70a7a67258da957c4efe0bda:CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.\n\nAlso check the challenge argument\u2019s presence before using it.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "83380b42969a4a42f3a90d3be00bf39e6d6f6e23", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "87f7874a79abe5be70a7a67258da957c4efe0bda", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "83380b42969a4a42f3a90d3be00bf39e6d6f6e23", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/83380b42969a4a42f3a90d3be00bf39e6d6f6e23" + }, + { + "reference_id": "87f7874a79abe5be70a7a67258da957c4efe0bda", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/87f7874a79abe5be70a7a67258da957c4efe0bda" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-14194", + "aliases": [], + "summary": "a2767e8c50063a9ef308a9526bb732e638c3480d:CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.\n6d0c39fd7e9db860b47585d87b8072d6117b197f:CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a2767e8c50063a9ef308a9526bb732e638c3480d", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6d0c39fd7e9db860b47585d87b8072d6117b197f", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "a2767e8c50063a9ef308a9526bb732e638c3480d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a2767e8c50063a9ef308a9526bb732e638c3480d" + }, + { + "reference_id": "6d0c39fd7e9db860b47585d87b8072d6117b197f", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6d0c39fd7e9db860b47585d87b8072d6117b197f" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-14215", + "aliases": [], + "summary": "9f4905d7e3f42002209d8ce46435d3b9447de588:CVE-2020-14215: Add migration to clear INVITED_AS_REALM_ADMIN.\n\nThis migration fixes any PreregistrationUser objects that might have\nbeen already corrupted to have the administrator role by the buggy\noriginal version of migration 0198_preregistrationuser_invited_as.\n\nSince invitations that create new users as administrators are rare, it\nis cleaner to just remove the role from all PreregistrationUser\nobjects than to filter for just those older invitation objects that\ncould have been corrupted by the original migration.\n3f55bfc53b911b309b254849a1fb75671e9e5b58:CVE-2020-14215: Fix migration 0198_preregistrationuser_invited_as.\n\nThis migration incorrectly swapped the role associated with invitation\nobjects between members and organization administrators, resulting in\nmost invitation objects that existed before the upgrade to Zulip\n2.0.0-rc1 or later to be incorrectly administrator invitations.\n\nFixing the migration is safe and will help those installations\nupgrading directly from 1.9.x to 2.1.5 or later.\n\nA migration to fix the corrupted records will appear in an upcoming\ncommit.\n8d2d64c10006801b35f287e92e69da01d0b447cd:CVE-2020-14215: Fix validation in PreregistrationUser queries.\n\nThe most import change here is the one in maybe_send_to_registration\ncodepath, as the insufficient validation there could lead to fetching\nan expired PreregistrationUser that was invited as an administrator\nadmin even years ago, leading to this registration ending up in the\nnew user being a realm administrator.\n\nCombined with the buggy migration in\n0198_preregistrationuser_invited_as.py, this led to users incorrectly\njoining as organizations administrators by accident. But even without\nthat bug, this issue could have allowed a user who was invited as an\nadministrator but then had that invitation expire and then joined via\nsocial authentication incorrectly join as an organization administrator.\n\nThe second change is in ConfirmationEmailWorker, where this wasn't a\nsecurity problem, but if the server was stopped for long enough, with\nsome invites to send out email for in the queue, then after starting it\nup again, the queue worker would send out emails for invites that\nhad already expired.\nc21c8dcd95fa87221a6d818550fd76e7e770cf2e:CVE-2020-14215: Add migration to clear INVITED_AS_REALM_ADMIN.\n\nThis migration fixes any PreregistrationUser objects that might have\nbeen already corrupted to have the administrator role by the buggy\noriginal version of migration 0198_preregistrationuser_invited_as.\n\nSince invitations that create new users as administrators are rare, it\nis cleaner to just remove the role from all PreregistrationUser\nobjects than to filter for just those older invitation objects that\ncould have been corrupted by the original migration.\n82d2960ad1d15d4f50f7ec4e684845371d7681d1:CVE-2020-14215: Fix migration 0198_preregistrationuser_invited_as.\n\nThis migration incorrectly swapped the role associated with invitation\nobjects between members and organization administrators, resulting in\nmost invitation objects that existed before the upgrade to Zulip\n2.0.0-rc1 or later to be incorrectly administrator invitations.\n\nFixing the migration is safe and will help those installations\nupgrading directly from 1.9.x to 2.1.5 or later.\n\nA migration to fix the corrupted records will appear in an upcoming\ncommit.\nfa07539016754200890df9fa791d9d0ea3e31c6b:CVE-2020-14215: Fix validation in PreregistrationUser queries.\n\nThe most import change here is the one in maybe_send_to_registration\ncodepath, as the insufficient validation there could lead to fetching\nan expired PreregistrationUser that was invited as an administrator\nadmin even years ago, leading to this registration ending up in the\nnew user being a realm administrator.\n\nCombined with the buggy migration in\n0198_preregistrationuser_invited_as.py, this led to users incorrectly\njoining as organizations administrators by accident. But even without\nthat bug, this issue could have allowed a user who was invited as an\nadministrator but then had that invitation expire and then joined via\nsocial authentication incorrectly join as an organization administrator.\n\nThe second change is in ConfirmationEmailWorker, where this wasn't a\nsecurity problem, but if the server was stopped for long enough, with\nsome invites to send out email for in the queue, then after starting it\nup again, the queue worker would send out emails for invites that\nhad already expired.\n\nBackported to the 2.1.x series by tabbott.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "9f4905d7e3f42002209d8ce46435d3b9447de588", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3f55bfc53b911b309b254849a1fb75671e9e5b58", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "8d2d64c10006801b35f287e92e69da01d0b447cd", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c21c8dcd95fa87221a6d818550fd76e7e770cf2e", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "82d2960ad1d15d4f50f7ec4e684845371d7681d1", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "fa07539016754200890df9fa791d9d0ea3e31c6b", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "9f4905d7e3f42002209d8ce46435d3b9447de588", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/9f4905d7e3f42002209d8ce46435d3b9447de588" + }, + { + "reference_id": "3f55bfc53b911b309b254849a1fb75671e9e5b58", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3f55bfc53b911b309b254849a1fb75671e9e5b58" + }, + { + "reference_id": "8d2d64c10006801b35f287e92e69da01d0b447cd", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/8d2d64c10006801b35f287e92e69da01d0b447cd" + }, + { + "reference_id": "c21c8dcd95fa87221a6d818550fd76e7e770cf2e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c21c8dcd95fa87221a6d818550fd76e7e770cf2e" + }, + { + "reference_id": "82d2960ad1d15d4f50f7ec4e684845371d7681d1", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/82d2960ad1d15d4f50f7ec4e684845371d7681d1" + }, + { + "reference_id": "fa07539016754200890df9fa791d9d0ea3e31c6b", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/fa07539016754200890df9fa791d9d0ea3e31c6b" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-15070", + "aliases": [], + "summary": "47913fb091794830c54eac2927e26bce92cfced1:CVE-2020-15070: Replace eval with ast.literal_eval.\n\nThis eval function performs the inverse of the implicit\nstringification that\u2019s implied by this type-incorrect assignment in\ndo_update_user_custom_profile_data_if_changed:\n\nfield_value.value = field['value']\n\nWe believe there\u2019s sufficient validation for the data being passed to\nthis eval that it could only have been exploited by a PostgreSQL\nadministrator editing the database manually.\n\nSigned-off-by: Anders Kaseorg \nbd55825ab86557458a1dbbfbdb02e36a0e66ac4d:CVE-2020-15070: Replace eval with ast.literal_eval.\n\nThis eval function performs the inverse of the implicit\nstringification that\u2019s implied by this type-incorrect assignment in\ndo_update_user_custom_profile_data_if_changed:\n\nfield_value.value = field['value']\n\nWe believe there\u2019s sufficient validation for the data being passed to\nthis eval that it could only have been exploited by a PostgreSQL\nadministrator editing the database manually.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "47913fb091794830c54eac2927e26bce92cfced1", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "bd55825ab86557458a1dbbfbdb02e36a0e66ac4d", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "47913fb091794830c54eac2927e26bce92cfced1", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/47913fb091794830c54eac2927e26bce92cfced1" + }, + { + "reference_id": "bd55825ab86557458a1dbbfbdb02e36a0e66ac4d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/bd55825ab86557458a1dbbfbdb02e36a0e66ac4d" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-9444", + "aliases": [], + "summary": "a2767e8c50063a9ef308a9526bb732e638c3480d:CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.\n6d0c39fd7e9db860b47585d87b8072d6117b197f:CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.\n68cfcd6446bc44eda37456f0d788235f39c3af9e:CVE-2020-9444: Prevent reverse tabnabbing attacks.\n\nWhile we could fix this issue by changing the markdown processor,\ndoing so is not a robust solution, because even a momentary bug in the\nmarkdown processor could allow cached messages that do not follow our\nsecurity policy.\n\nThis change ensures that even if our markdown processor has bugs that\nresult in rendered content that does not properly follow our policy of\nusing rel=\"noopener noreferrer\" on links, we'll still do something\nreasonable.\n\nCo-authored-by: Tim Abbott \nSigned-off-by: Anders Kaseorg \nc9796ba7f7632bf06d3391c3bfde27304b6ae12a:CVE-2020-9444: Prevent reverse tabnabbing attacks.\n\nWhile we could fix this issue by changing the markdown processor,\ndoing so is not a robust solution, because even a momentary bug in the\nmarkdown processor could allow cached messages that do not follow our\nsecurity policy.\n\nThis change ensures that even if our markdown processor has bugs that\nresult in rendered content that does not properly follow our policy of\nusing rel=\"noopener noreferrer\" on links, we'll still do something\nreasonable.\n\nCo-authored-by: Tim Abbott \nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a2767e8c50063a9ef308a9526bb732e638c3480d", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6d0c39fd7e9db860b47585d87b8072d6117b197f", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "68cfcd6446bc44eda37456f0d788235f39c3af9e", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c9796ba7f7632bf06d3391c3bfde27304b6ae12a", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "a2767e8c50063a9ef308a9526bb732e638c3480d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a2767e8c50063a9ef308a9526bb732e638c3480d" + }, + { + "reference_id": "6d0c39fd7e9db860b47585d87b8072d6117b197f", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6d0c39fd7e9db860b47585d87b8072d6117b197f" + }, + { + "reference_id": "68cfcd6446bc44eda37456f0d788235f39c3af9e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/68cfcd6446bc44eda37456f0d788235f39c3af9e" + }, + { + "reference_id": "c9796ba7f7632bf06d3391c3bfde27304b6ae12a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c9796ba7f7632bf06d3391c3bfde27304b6ae12a" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-9445", + "aliases": [], + "summary": "e3a4aeeffa17d6e001586d11f8c714f9c690e1b1:CVE-2020-9445: Remove unused and insecure modal_link feature.\n\nZulip's modal_link markdown feature has not been used since 2017; it\nwas a hack used for a 2013-era tutorial feature and was never used\noutside that use case.\n\nUnfortunately, it's sloppy implementation was exposed in the markdown\nprocessor for all users, not just the tutorial use case.\n\nMore importantly, it was buggy, in that it did not validate the link\nusing the standard validation approach used by our other code\ninteracting with links.\n\nThe right solution is simply to remove it.\nb21117954d439472cd57d663f9b886ab873a24ec:CVE-2020-9445: Remove unused and insecure modal_link feature.\n\nZulip's modal_link markdown feature has not been used since 2017; it\nwas a hack used for a 2013-era tutorial feature and was never used\noutside that use case.\n\nUnfortunately, it's sloppy implementation was exposed in the markdown\nprocessor for all users, not just the tutorial use case.\n\nMore importantly, it was buggy, in that it did not validate the link\nusing the standard validation approach used by our other code\ninteracting with links.\n\nThe right solution is simply to remove it.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e3a4aeeffa17d6e001586d11f8c714f9c690e1b1", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b21117954d439472cd57d663f9b886ab873a24ec", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "e3a4aeeffa17d6e001586d11f8c714f9c690e1b1", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e3a4aeeffa17d6e001586d11f8c714f9c690e1b1" + }, + { + "reference_id": "b21117954d439472cd57d663f9b886ab873a24ec", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b21117954d439472cd57d663f9b886ab873a24ec" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-30477", + "aliases": [], + "summary": "4235be759db5e0678ceac88ec19f2b8f8482214a:CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.\n\nA bug in the implementation of replies to messages sent by outgoing\nwebhooks to private streams meant that an outgoing webhook bot could be\nused to send messages to private streams that the user was not intended\nto be able to send messages to.\n\nCompletely skipping stream access check in check_message whenever the\nsender is an outgoing webhook bot is insecure, as it might allow someone\nwith access to the bot's API key to send arbitrary messages to all\nstreams in the organization. The check is only meant to be bypassed in\nsend_response_message, where the stream message is only being sent\nbecause someone mentioned the bot in that stream (and thus the bot\nposting there is the desired outcome). We get much better control over\nwhat's going by passing an explicit argument to check_message when\nskipping the access check is desirable.\nba403e0bffa6899c5527f139ef03e7ea5c829087:CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.\n\nA bug in the implementation of replies to messages sent by outgoing\nwebhooks to private streams meant that an outgoing webhook bot could be\nused to send messages to private streams that the user was not intended\nto be able to send messages to.\n\nCompletely skipping stream access check in check_message whenever the\nsender is an outgoing webhook bot is insecure, as it might allow someone\nwith access to the bot's API key to send arbitrary messages to all\nstreams in the organization. The check is only meant to be bypassed in\nsend_response_message, where the stream message is only being sent\nbecause someone mentioned the bot in that stream (and thus the bot\nposting there is the desired outcome). We get much better control over\nwhat's going by passing an explicit argument to check_message when\nskipping the access check is desirable.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "4235be759db5e0678ceac88ec19f2b8f8482214a", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "ba403e0bffa6899c5527f139ef03e7ea5c829087", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "4235be759db5e0678ceac88ec19f2b8f8482214a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/4235be759db5e0678ceac88ec19f2b8f8482214a" + }, + { + "reference_id": "ba403e0bffa6899c5527f139ef03e7ea5c829087", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/ba403e0bffa6899c5527f139ef03e7ea5c829087" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-30478", + "aliases": [], + "summary": "6e11754642a59d83d7a575b78e6c3e988d3b6c93:CVE-2021-30478: Prevent API super users from forging messages to other organizations.\n\nA bug in the implementation of the can_forge_sender permission\n(previously is_api_super_user) resulted in users with this permission\nbeing able to send messages appearing as if sent by a system bots,\nincluding to other organizations hosted by the same Zulip installation.\n\n- The send message API had a bug allowing an api super user to\n use forging to send messages to other realms' streams, as a\n cross-realm bot. We fix this most directly by eliminating the\n realm_str parameter - it is not necessary for any valid current use\n case. The email gateway doesn't use this API despite the comment in\n that block suggesting otherwise.\n- The conditionals inside access_stream_for_send_message are changed up\n to improve security. They were generally not ordered very well,\n allowing the function to successfully return due to very weak\n acceptance conditions - skipping the higher importance checks that\n should lead to raising an error.\n- The query count in test_subs is decreased because\n access_stream_for_send_message returns earlier when doing its check\n for a cross-realm bot sender - some subscription checking queries are\n skipped.\n- A linkifier test in test_message_dict needs to be changed. It didn't\n make much sense in the first place, because it was creating a message\n by a normal user, to a stream outside of the user's realm. That\n shouldn't even be allowed.\na771f4ef22a1e53988a35d166bf5cb30e5891775:CVE-2021-30478: Prevent API super users from forging messages to other organizations.\n\nA bug in the implementation of the can_forge_sender permission\n(previously is_api_super_user) resulted in users with this permission\nbeing able to send messages appearing as if sent by a system bots,\nincluding to other organizations hosted by the same Zulip installation.\n\n- The send message API had a bug allowing an api super user to\n use forging to send messages to other realms' streams, as a\n cross-realm bot. We fix this most directly by eliminating the\n realm_str parameter - it is not necessary for any valid current use\n case. The email gateway doesn't use this API despite the comment in\n that block suggesting otherwise.\n- The conditionals inside access_stream_for_send_message are changed up\n to improve security. They were generally not ordered very well,\n allowing the function to successfully return due to very weak\n acceptance conditions - skipping the higher importance checks that\n should lead to raising an error.\n- The query count in test_subs is decreased because\n access_stream_for_send_message returns earlier when doing its check\n for a cross-realm bot sender - some subscription checking queries are\n skipped.\n- A linkifier test in test_message_dict needs to be changed. It didn't\n make much sense in the first place, because it was creating a message\n by a normal user, to a stream outside of the user's realm. That\n shouldn't even be allowed.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6e11754642a59d83d7a575b78e6c3e988d3b6c93", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a771f4ef22a1e53988a35d166bf5cb30e5891775", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "6e11754642a59d83d7a575b78e6c3e988d3b6c93", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6e11754642a59d83d7a575b78e6c3e988d3b6c93" + }, + { + "reference_id": "a771f4ef22a1e53988a35d166bf5cb30e5891775", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a771f4ef22a1e53988a35d166bf5cb30e5891775" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-30479", + "aliases": [], + "summary": "140655d69e1dd7fa6c6a242a19740106d18ebdf5:CVE-2021-30479: Prevent guest user access to all_public_streams API.\n\nA bug in the implementation of the all_public_streams API feature\nresulted in guest users being able to receive message traffic to public\nstreams that should have been only accessible to members of the\norganization.\n3215f70f4cd1876078a67001996451f2d16bb609:CVE-2021-30479: Prevent guest user access to all_public_streams API.\n\nA bug in the implementation of the all_public_streams API feature\nresulted in guest users being able to receive message traffic to public\nstreams that should have been only accessible to members of the\norganization.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "140655d69e1dd7fa6c6a242a19740106d18ebdf5", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3215f70f4cd1876078a67001996451f2d16bb609", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "140655d69e1dd7fa6c6a242a19740106d18ebdf5", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/140655d69e1dd7fa6c6a242a19740106d18ebdf5" + }, + { + "reference_id": "3215f70f4cd1876078a67001996451f2d16bb609", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3215f70f4cd1876078a67001996451f2d16bb609" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-30487", + "aliases": [], + "summary": "3ba8348c51f09d823096228fae223bffc054efd5:CVE-2021-30487: Prevent admins from moving topics to disallowed streams.\n\nA bug in the implementation of the topic moving API resulted in\norganization administrators being able to move messages to streams they\nshouldn't be allowed to - private streams they weren't subscribed to and\nstreams in other organization hosted by the same Zulip installation.\n\nIn our current model realm admins can't send messages to private streams\nthey're not subscribed to - and being able move messages to a\nstream effectively allows to send messages to that stream and thus the\ntwo need to be consistent.\n0101877f95d2ff542ec5fb6e07b60a090faa2d52:CVE-2021-30487: Prevent admins from moving topics to disallowed streams.\n\nA bug in the implementation of the topic moving API resulted in\norganization administrators being able to move messages to streams\nin other organization hosted by the same Zulip installation.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3ba8348c51f09d823096228fae223bffc054efd5", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "0101877f95d2ff542ec5fb6e07b60a090faa2d52", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "3ba8348c51f09d823096228fae223bffc054efd5", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3ba8348c51f09d823096228fae223bffc054efd5" + }, + { + "reference_id": "0101877f95d2ff542ec5fb6e07b60a090faa2d52", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/0101877f95d2ff542ec5fb6e07b60a090faa2d52" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-3853", + "aliases": [], + "summary": "3eb2791c3e9695f7d37ffe84e0c2184fae665cb6:CVE-2021-3853: Fix HTML escaping in recipient_row.\n\nCommit 44f935695d452cc3fb16845a0c6af710438b153d (#20462) incorrectly\nadded these extra braces while intending to add whitespace control.\nThis triple-brace syntax was asking Handlebars to skip escaping the\nstring.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3eb2791c3e9695f7d37ffe84e0c2184fae665cb6", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "3eb2791c3e9695f7d37ffe84e0c2184fae665cb6", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3eb2791c3e9695f7d37ffe84e0c2184fae665cb6" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-3967", + "aliases": [], + "summary": "d5db254ca8167995a1654d1c45ffc74b2fade39a:CVE-2021-3967: Only regenerate the API key by authing with the old key.\n974c98a45ac78dc8cd9e6b5cefe4d7e32fcdf981:CVE-2021-3967: Only regenerate the API key by authing with the old key.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "d5db254ca8167995a1654d1c45ffc74b2fade39a", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "974c98a45ac78dc8cd9e6b5cefe4d7e32fcdf981", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "d5db254ca8167995a1654d1c45ffc74b2fade39a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/d5db254ca8167995a1654d1c45ffc74b2fade39a" + }, + { + "reference_id": "974c98a45ac78dc8cd9e6b5cefe4d7e32fcdf981", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/974c98a45ac78dc8cd9e6b5cefe4d7e32fcdf981" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-41115", + "aliases": [], + "summary": "db934be0646e3002287c72ba2154a904a4dc42b5:CVE-2021-41115: Use re2 for user-supplied linkifier patterns.\n\nZulip attempts to validate that the regular expressions that admins\nenter for linkifiers are well-formatted, and only contain a specific\nsubset of regex grammar. The process of checking these\nproperties (via a regex!) can cause denial-of-service via\nbacktracking.\n\nFurthermore, this validation itself does not prevent the creation of\nlinkifiers which themselves cause denial-of-service when they are\nexecuted. As the validator accepts literally anything inside of a\n`(?P...)` block, any quadratic backtracking expression can be\nhidden therein.\n\nSwitch user-provided linkifier patterns to be matched in the Markdown\nprocessor by the `re2` library, which is guaranteed constant-time.\nThis somewhat limits the possible features of the regular\nexpression (notably, look-head and -behind, and back-references);\nhowever, these features had never been advertised as working in the\ncontext of linkifiers.\n\nA migration removes any existing linkifiers which would not function\nunder re2, after printing them for posterity during the upgrade; they\nare unlikely to be common, and are impossible to fix automatically.\n\nThe denial-of-service in the linkifier validator was discovered by\n@erik-krogh and @yoff, as GHSL-2021-118.\ne2d303c1bb5f538d17dc3d9134bc8858bdece781:CVE-2021-41115: Use re2 for user-supplied linkifier patterns.\n\nZulip attempts to validate that the regular expressions that admins\nenter for linkifiers are well-formatted, and only contain a specific\nsubset of regex grammar. The process of checking these\nproperties (via a regex!) can cause denial-of-service via\nbacktracking.\n\nFurthermore, this validation itself does not prevent the creation of\nlinkifiers which themselves cause denial-of-service when they are\nexecuted. As the validator accepts literally anything inside of a\n`(?P...)` block, any quadratic backtracking expression can be\nhidden therein.\n\nSwitch user-provided linkifier patterns to be matched in the Markdown\nprocessor by the `re2` library, which is guaranteed constant-time.\nThis somewhat limits the possible features of the regular\nexpression (notably, look-head and -behind, and back-references);\nhowever, these features had never been advertised as working in the\ncontext of linkifiers.\n\nA migration removes any existing linkifiers which would not function\nunder re2, after printing them for posterity during the upgrade; they\nare unlikely to be common, and are impossible to fix automatically.\n\nThe denial-of-service in the linkifier validator was discovered by\n@erik-krogh and @yoff, as GHSL-2021-118.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "db934be0646e3002287c72ba2154a904a4dc42b5", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e2d303c1bb5f538d17dc3d9134bc8858bdece781", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "db934be0646e3002287c72ba2154a904a4dc42b5", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/db934be0646e3002287c72ba2154a904a4dc42b5" + }, + { + "reference_id": "e2d303c1bb5f538d17dc3d9134bc8858bdece781", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e2d303c1bb5f538d17dc3d9134bc8858bdece781" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-43791", + "aliases": [], + "summary": "a014ef75a3a0ed7f24ebb157632ba58751e732c6:CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath.\n\nA confirmation link takes a user to the check_prereg_key_and_redirect\nendpoint, before getting redirected to POST to /accounts/register/. The\nproblem was that validation was happening in the check_prereg_key_and_redirect\npart and not in /accounts/register/ - meaning that one could submit an\nexpired confirmation key and be able to register.\n\nWe fix this by moving validation into /accouts/register/.\n551b38716479ccfc4e6a833e609c12a7bbef46de:CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath.\n\nA confirmation link takes a user to the check_prereg_key_and_redirect\nendpoint, before getting redirected to POST to /accounts/register/. The\nproblem was that validation was happening in the check_prereg_key_and_redirect\npart and not in /accounts/register/ - meaning that one could submit an\nexpired confirmation key and be able to register.\n\nWe fix this by moving validation into /accouts/register/.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a014ef75a3a0ed7f24ebb157632ba58751e732c6", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "551b38716479ccfc4e6a833e609c12a7bbef46de", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "a014ef75a3a0ed7f24ebb157632ba58751e732c6", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a014ef75a3a0ed7f24ebb157632ba58751e732c6" + }, + { + "reference_id": "551b38716479ccfc4e6a833e609c12a7bbef46de", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/551b38716479ccfc4e6a833e609c12a7bbef46de" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-43798", + "aliases": [], + "summary": "3eae429ab4b573c7712e86687d03f00a4cad755b:puppet: Upgrade Grafana to 8.3.1, for CVE-2021-43798.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3eae429ab4b573c7712e86687d03f00a4cad755b", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "3eae429ab4b573c7712e86687d03f00a4cad755b", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3eae429ab4b573c7712e86687d03f00a4cad755b" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-43799", + "aliases": [], + "summary": "a5496f4098e3998c9b84e8dc564aa983d6cdf6e8:CVE-2021-43799: Set a secure Erlang cookie.\n\nThe RabbitMQ docs state ([1]):\n\n RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to\n determine whether they are allowed to communicate with each\n other. [...] The cookie is just a string of alphanumeric\n characters up to 255 characters in size. It is usually stored in a\n local file.\n\n...and goes on to state (emphasis ours):\n\n If the file does not exist, Erlang VM will try to create one with\n a randomly generated value when the RabbitMQ server starts\n up. Using such generated cookie files are **appropriate in\n development environments only.**\n\nThe auto-generated cookie does not use cryptographic sources of\nrandomness, and generates 20 characters of `[A-Z]`. Because of a\nsemi-predictable seed, the entropy of this password is thus less than\nthe idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits\nof entropy, or potentially as low as 20 if the performance of the\nserver is known.\n\nThese sizes are well within the scope of remote brute-force attacks.\n\nOn provision, install, and upgrade, replace the default insecure\n20-character Erlang cookie with a cryptographically secure\n255-character string (the max length allowed).\n\n[1] https://www.rabbitmq.com/clustering.html#erlang-cookie\ne70588385712e6693a5ebebbdf149205e9f8f842:CVE-2021-43799: During upgrades, restart rabbitmq if necessary.\n\nCheck if it is listening on a public interface on port 25672, and if\nso shut it down so it can pick up the new configuration.\na46f6df91e65ebe9e01237c6777a24459c49cb37:CVE-2021-43799: Write rabbitmq configuration before starting.\n\nZulip writes a `rabbitmq.config` configuration file which locks down\nRabbitMQ to listen only on localhost:5672, as well as the RabbitMQ\ndistribution port, on localhost:25672.\n\nThe \"distribution port\" is part of Erlang's clustering configuration;\nwhile it is documented that the protocol is fundamentally\ninsecure ([1], [2]) and can result in remote arbitrary execution of\ncode, by default the RabbitMQ configuration on Debian and Ubuntu\nleaves it publicly accessible, with weak credentials.\n\nThe configuration file that Zulip writes, while effective, is only\nwritten _after_ the package has been installed and the service\nstarted, which leaves the port exposed until RabbitMQ or system\nrestart.\n\nEnsure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written\nbefore rabbitmq is installed or starts, and that changes to that file\ntrigger a restart of the service, such that the ports are only ever\nbound to localhost. This does not mitigate existing installs, since\nit does not force a rabbitmq restart.\n\n[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html\n[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system\nc27324927e95f0f3ecdcec9c6b6e4d795475d538:CVE-2021-43799: Set a secure Erlang cookie.\n\nThe RabbitMQ docs state ([1]):\n\n RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to\n determine whether they are allowed to communicate with each\n other. [...] The cookie is just a string of alphanumeric\n characters up to 255 characters in size. It is usually stored in a\n local file.\n\n...and goes on to state (emphasis ours):\n\n If the file does not exist, Erlang VM will try to create one with\n a randomly generated value when the RabbitMQ server starts\n up. Using such generated cookie files are **appropriate in\n development environments only.**\n\nThe auto-generated cookie does not use cryptographic sources of\nrandomness, and generates 20 characters of `[A-Z]`. Because of a\nsemi-predictable seed, the entropy of this password is thus less than\nthe idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits\nof entropy, or potentially as low as 20 if the performance of the\nserver is known.\n\nThese sizes are well within the scope of remote brute-force attacks.\n\nOn provision, install, and upgrade, replace the default insecure\n20-character Erlang cookie with a cryptographically secure\n255-character string (the max length allowed).\n\n[1] https://www.rabbitmq.com/clustering.html#erlang-cookie\n36cebad4c0df355c245821b72c5bfe7b0b095087:CVE-2021-43799: During upgrades, restart rabbitmq if necessary.\n\nCheck if it is listening on a public interface on port 25672, and if\nso shut it down so it can pick up the new configuration.\n134a8d43014ad96a5d7f11170046abb5b99dc0a1:CVE-2021-43799: Write rabbitmq configuration before starting.\n\nZulip writes a `rabbitmq.config` configuration file which locks down\nRabbitMQ to listen only on localhost:5672, as well as the RabbitMQ\ndistribution port, on localhost:25672.\n\nThe \"distribution port\" is part of Erlang's clustering configuration;\nwhile it is documented that the protocol is fundamentally\ninsecure ([1], [2]) and can result in remote arbitrary execution of\ncode, by default the RabbitMQ configuration on Debian and Ubuntu\nleaves it publicly accessible, with weak credentials.\n\nThe configuration file that Zulip writes, while effective, is only\nwritten _after_ the package has been installed and the service\nstarted, which leaves the port exposed until RabbitMQ or system\nrestart.\n\nEnsure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written\nbefore rabbitmq is installed or starts, and that changes to that file\ntrigger a restart of the service, such that the ports are only ever\nbound to localhost. This does not mitigate existing installs, since\nit does not force a rabbitmq restart.\n\n[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html\n[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a5496f4098e3998c9b84e8dc564aa983d6cdf6e8", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e70588385712e6693a5ebebbdf149205e9f8f842", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a46f6df91e65ebe9e01237c6777a24459c49cb37", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c27324927e95f0f3ecdcec9c6b6e4d795475d538", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "36cebad4c0df355c245821b72c5bfe7b0b095087", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "134a8d43014ad96a5d7f11170046abb5b99dc0a1", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "a5496f4098e3998c9b84e8dc564aa983d6cdf6e8", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a5496f4098e3998c9b84e8dc564aa983d6cdf6e8" + }, + { + "reference_id": "e70588385712e6693a5ebebbdf149205e9f8f842", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e70588385712e6693a5ebebbdf149205e9f8f842" + }, + { + "reference_id": "a46f6df91e65ebe9e01237c6777a24459c49cb37", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a46f6df91e65ebe9e01237c6777a24459c49cb37" + }, + { + "reference_id": "c27324927e95f0f3ecdcec9c6b6e4d795475d538", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c27324927e95f0f3ecdcec9c6b6e4d795475d538" + }, + { + "reference_id": "36cebad4c0df355c245821b72c5bfe7b0b095087", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/36cebad4c0df355c245821b72c5bfe7b0b095087" + }, + { + "reference_id": "134a8d43014ad96a5d7f11170046abb5b99dc0a1", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/134a8d43014ad96a5d7f11170046abb5b99dc0a1" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-43813", + "aliases": [], + "summary": "e4b23daad7601d0c7efc4c59cf68675914228e61:puppet: Upgrade to Grafana 8.3.2, for CVE-2021-43813.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e4b23daad7601d0c7efc4c59cf68675914228e61", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "e4b23daad7601d0c7efc4c59cf68675914228e61", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e4b23daad7601d0c7efc4c59cf68675914228e61" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-21706", + "aliases": [], + "summary": "88917019f03860609114082cdc0f31a561503f9e:CVE-2022-21706: Prevent use of multiuse invites to join other orgs.\n\nThe codepaths for joining an organization via a multi-use invitation\n(accounts_home_from_multiuse_invite and maybe_send_to_registration)\nweren't validating whether\nthe organization the invite was generated for matches the organization\nthe user attempts to join - potentially allowing an attacker with access\nto organization A to generate a multi-use invite and use it to join\norganization B within the same deployment, that they shouldn't have\naccess to.\n7e991c8c7e59291296fecd3fa38e32d011249952:CVE-2022-21706: Prevent use of multiuse invites to join other orgs.\n\nThe codepaths for joining an organization via a multi-use invitation\n(accounts_home_from_multiuse_invite and maybe_send_to_registration)\nweren't validating whether\nthe organization the invite was generated for matches the organization\nthe user attempts to join - potentially allowing an attacker with access\nto organization A to generate a multi-use invite and use it to join\norganization B within the same deployment, that they shouldn't have\naccess to.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "88917019f03860609114082cdc0f31a561503f9e", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "7e991c8c7e59291296fecd3fa38e32d011249952", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "88917019f03860609114082cdc0f31a561503f9e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/88917019f03860609114082cdc0f31a561503f9e" + }, + { + "reference_id": "7e991c8c7e59291296fecd3fa38e32d011249952", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/7e991c8c7e59291296fecd3fa38e32d011249952" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-23656", + "aliases": [], + "summary": "e090027adcbf62737d5b1f83a9618a9500a49321:CVE-2022-23656: Fix cross-site scripting vulnerability in tooltips.\n\nAn attacker could maliciously craft a full name for their account and\nsend messages to a topic with several participants; a victim who then\nopens an overflow tooltip including this full name on the recent\ntopics page could trigger execution of JavaScript code controlled by\nthe attacker.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e090027adcbf62737d5b1f83a9618a9500a49321", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "e090027adcbf62737d5b1f83a9618a9500a49321", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e090027adcbf62737d5b1f83a9618a9500a49321" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-24751", + "aliases": [], + "summary": "62ba8e455d8f460001d9fb486a6dabfd1ed67717:CVE-2022-24751: Clear sessions outside of the transaction.\n\nClearing the sessions inside the transaction makes Zulip vulnerable to\na narrow window where the deleted session has not yet been committed,\nbut has been removed from the memcached cache. During this window, a\nrequest with the session-id which has just been deleted can\nsuccessfully re-fill the memcached cache, as the in-database delete is\nnot yet committed, and thus not yet visible. After the delete\ntransaction commits, the cache will be left with a cached session,\nwhich allows further site access until it expires (after\nSESSION_COOKIE_AGE seconds), is ejected from the cache due to memory\npressure, or the server is upgraded.\n\nMove the session deletion outside of the transaction.\n\nBecause the testsuite runs inside of a transaction, it is impossible\nto test this is CI; the testsuite uses the non-caching\n`django.contrib.sessions.backends.db` backend, regardless. The test\nadded in this commit thus does not fail before this commit; it is\nmerely a base expression that the session should be deleted somehow,\nand does not exercise the assert added in the previous commit.\ne6eace307ef435eec3395c99247155efed9219e4:CVE-2022-24751: Clear sessions outside of the transaction.\n\nClearing the sessions inside the transaction makes Zulip vulnerable to\na narrow window where the deleted session has not yet been committed,\nbut has been removed from the memcached cache. During this window, a\nrequest with the session-id which has just been deleted can\nsuccessfully re-fill the memcached cache, as the in-database delete is\nnot yet committed, and thus not yet visible. After the delete\ntransaction commits, the cache will be left with a cached session,\nwhich allows further site access until it expires (after\nSESSION_COOKIE_AGE seconds), is ejected from the cache due to memory\npressure, or the server is upgraded.\n\nMove the session deletion outside of the transaction.\n\nBecause the testsuite runs inside of a transaction, it is impossible\nto test this is CI; the testsuite uses the non-caching\n`django.contrib.sessions.backends.db` backend, regardless. The test\nadded in this commit thus does not fail before this commit; it is\nmerely a base expression that the session should be deleted somehow,\nand does not exercise the assert added in the previous commit.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "62ba8e455d8f460001d9fb486a6dabfd1ed67717", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e6eace307ef435eec3395c99247155efed9219e4", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "62ba8e455d8f460001d9fb486a6dabfd1ed67717", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717" + }, + { + "reference_id": "e6eace307ef435eec3395c99247155efed9219e4", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-29170", + "aliases": [], + "summary": "4a5e5307435db9dd7024d4cc8b15727d27d1b772:puppet: Upgrade Grafana to 8.5.3, for CVE-2022-29170.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "4a5e5307435db9dd7024d4cc8b15727d27d1b772", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "4a5e5307435db9dd7024d4cc8b15727d27d1b772", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/4a5e5307435db9dd7024d4cc8b15727d27d1b772" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-31017", + "aliases": [], + "summary": "20f9293f1f5a95c17ba82cfcd24dc182475d66a8:CVE-2022-31017: Fix edit event exposure in protected-history streams.\n\nWhen editing an old message in a private stream with protected\nhistory, the server would incorrectly send an API event including the\nedited message to all of the stream\u2019s current subscribers, including\nthose who should not have access to the old message. This API event is\nignored by official clients, so it could only be observed by a user\nusing a modified client or their browser\u2019s developer tools.\n\nSigned-off-by: Anders Kaseorg \nb031537fe98525b22152bfa04a18734ad08c5362:CVE-2022-31017: Fix edit event exposure in protected-history streams.\n\nWhen editing an old message in a private stream with protected\nhistory, the server would incorrectly send an API event including the\nedited message to all of the stream\u2019s current subscribers, including\nthose who should not have access to the old message. This API event is\nignored by official clients, so it could only be observed by a user\nusing a modified client or their browser\u2019s developer tools.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "20f9293f1f5a95c17ba82cfcd24dc182475d66a8", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b031537fe98525b22152bfa04a18734ad08c5362", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "20f9293f1f5a95c17ba82cfcd24dc182475d66a8", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/20f9293f1f5a95c17ba82cfcd24dc182475d66a8" + }, + { + "reference_id": "b031537fe98525b22152bfa04a18734ad08c5362", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b031537fe98525b22152bfa04a18734ad08c5362" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-31134", + "aliases": [], + "summary": "b35268e6bb9e07ef55e0a266280960930049c10a:CVE-2022-31134: Exclude private attachments from realm exports.\n\nZulip Server 2.1.0 and above have a UI tool, accessible only to server\nowners and server administrators, which provides a way to download a\n\u201cpublic data\u201d export. While this export tool is only accessible to\nadministrators, in many configurations server administrators are not\nexpected to have access to private messages and private\nstreams. However, the \u201cpublic data\u201d export which administrators could\ngenerate contained the attachment contents for all attachments, even\nthose from private messages and streams.\n\nSigned-off-by: Anders Kaseorg \nc6a590328014c9a25d88ca7789f5f657a21a52ac:CVE-2022-31134: Exclude private attachments from realm exports.\n\nZulip Server 2.1.0 and above have a UI tool, accessible only to server\nowners and server administrators, which provides a way to download a\n\u201cpublic data\u201d export. While this export tool is only accessible to\nadministrators, in many configurations server administrators are not\nexpected to have access to private messages and private\nstreams. However, the \u201cpublic data\u201d export which administrators could\ngenerate contained the attachment contents for all attachments, even\nthose from private messages and streams.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b35268e6bb9e07ef55e0a266280960930049c10a", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c6a590328014c9a25d88ca7789f5f657a21a52ac", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "b35268e6bb9e07ef55e0a266280960930049c10a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b35268e6bb9e07ef55e0a266280960930049c10a" + }, + { + "reference_id": "c6a590328014c9a25d88ca7789f5f657a21a52ac", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c6a590328014c9a25d88ca7789f5f657a21a52ac" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-31168", + "aliases": [], + "summary": "751b2a03e565e9eb02ffe923b7c24ac73d604034:CVE-2022-31168: Fix authorization check for changing bot roles.\n\nDue to an incorrect authorization check in Zulip Server 5.4 and\nearlier, a member of an organization could craft an API call that\ngrants organization administrator privileges to one of their bots.\n\nSigned-off-by: Anders Kaseorg \nc9f6830ba6d30f01606d9876d239c77b702b8c38:CVE-2022-31168: Fix authorization check for changing bot roles.\n\nDue to an incorrect authorization check in Zulip Server 5.4 and\nearlier, a member of an organization could craft an API call that\ngrants organization administrator privileges to one of their bots.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "751b2a03e565e9eb02ffe923b7c24ac73d604034", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c9f6830ba6d30f01606d9876d239c77b702b8c38", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "751b2a03e565e9eb02ffe923b7c24ac73d604034", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034" + }, + { + "reference_id": "c9f6830ba6d30f01606d9876d239c77b702b8c38", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c9f6830ba6d30f01606d9876d239c77b702b8c38" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-36048", + "aliases": [], + "summary": "4a61e36def4ae7349dc7b39f2a9848505389cf6a:CVE-2022-36048: Rewrite only specific local links to relative.\n\nDue to mismatches between the URL parsers in Python and browsers, it\nwas possible to hoodwink rewrite_local_links_to_relative into\ngenerating links that browsers would interpret as absolute.\n\nSigned-off-by: Anders Kaseorg \nb12a5be4a09d46653b062bea35a52433778a8a43:CVE-2022-36048: Rewrite only specific local links to relative.\n\nDue to mismatches between the URL parsers in Python and browsers, it\nwas possible to hoodwink rewrite_local_links_to_relative into\ngenerating links that browsers would interpret as absolute.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "4a61e36def4ae7349dc7b39f2a9848505389cf6a", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "b12a5be4a09d46653b062bea35a52433778a8a43", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "4a61e36def4ae7349dc7b39f2a9848505389cf6a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/4a61e36def4ae7349dc7b39f2a9848505389cf6a" + }, + { + "reference_id": "b12a5be4a09d46653b062bea35a52433778a8a43", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/b12a5be4a09d46653b062bea35a52433778a8a43" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-22735", + "aliases": [], + "summary": "2f6c5a883e106aa82a570d3d1f243993284b70f3:CVE-2023-22735: Provide the Content-Disposition header from S3.\n\nThe Content-Type of user-provided uploads was provided by the browser\nat initial upload time, and stored in S3; however, 04cf68b45ebb\nswitched to determining the Content-Disposition merely from the\nfilename. This makes uploads vulnerable to a stored XSS, wherein a\nfile uploaded with a content-type of `text/html` and an extension of\n`.png` would be served to browsers as `Content-Disposition: inline`,\nwhich is unsafe.\n\nThe `Content-Security-Policy` headers in the previous commit mitigate\nthis, but only for browsers which support them.\n\nRevert parts of 04cf68b45ebb, specifically by allowing S3 to provide\nthe Content-Disposition header, and using the\n`ResponseContentDisposition` argument when necessary to override it to\n`attachment`. Because we expect S3 responses to vary based on this\nargument, we include it in the cache key; since the query parameter\nhas dashes in it, we can't use use the helper `$arg_` variables, and\nmust parse it from the query parameters manually.\n\nAdding the disposition may decrease the cache hit rate somewhat, but\ndownloads are infrequent enough that it is unlikely to have a\nnoticeable effect. We take care to not adjust the cache key for\nrequests which do not specify the disposition.\n36e97f8121a19a7955e666d24a80ea2cf3d0b75a:CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data.\n\nThis was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this\ncontent is fundamentally untrusted, it must be served with\n`Content-Security-Policy` headers in order to be safe. These headers\nwere not provided previously for S3 content because it was served from\nthe S3 domain.\n\nThis mitigates content served from Zulip which could be a stored XSS,\nbut only in browsers which support Content-Security-Policy headers;\nsee subsequent commit for the complete solution.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "2f6c5a883e106aa82a570d3d1f243993284b70f3", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "36e97f8121a19a7955e666d24a80ea2cf3d0b75a", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "2f6c5a883e106aa82a570d3d1f243993284b70f3", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/2f6c5a883e106aa82a570d3d1f243993284b70f3" + }, + { + "reference_id": "36e97f8121a19a7955e666d24a80ea2cf3d0b75a", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/36e97f8121a19a7955e666d24a80ea2cf3d0b75a" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-28623", + "aliases": [], + "summary": "a23b077b79cae11757fb97f8d4e174af153c7104:CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled.\n3df1b4dd7c210c21deb6f829df19412b74573f8d:CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a23b077b79cae11757fb97f8d4e174af153c7104", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3df1b4dd7c210c21deb6f829df19412b74573f8d", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "a23b077b79cae11757fb97f8d4e174af153c7104", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a23b077b79cae11757fb97f8d4e174af153c7104" + }, + { + "reference_id": "3df1b4dd7c210c21deb6f829df19412b74573f8d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-32677", + "aliases": [], + "summary": "4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9:CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting. The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams.\n7c2693a2c64904d1d0af8503b57763943648cbe5:CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting. The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "7c2693a2c64904d1d0af8503b57763943648cbe5", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9" + }, + { + "reference_id": "7c2693a2c64904d1d0af8503b57763943648cbe5", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-32678", + "aliases": [], + "summary": "c908b518ef15eee4fb768cd015e8e72261d98e93:CVE-2023-32678: Prevent unauthorized editing/deletion in priv streams.\n\nUsers who used to be subscribed to a private stream and have been\nremoved from it since retain the ability to edit messages/topics, and\ndelete messages that they used to have access to, if other relevant\norganization permissions allow these actions. For example, a user may be\nable to edit or delete their old messages they posted in such a private\nstream. An administrator will be able to delete old messages (that they\nhad access to) from the private stream.\n\nWe fix this by fixing the logic in has_message_access (which lies at the\ncore of our message access checks - access_message() and\nbulk_access_messages())\nto not rely on only a UserMessage row for checking access but also\nverify stream type and subscription status.\na30cd12433e3a9f7764763ba38849ac635da5283:CVE-2023-32678: Prevent unauthorized editing/deletion in priv streams.\n\nUsers who used to be subscribed to a private stream and have been\nremoved from it since retain the ability to edit messages/topics, and\ndelete messages that they used to have access to, if other relevant\norganization permissions allow these actions. For example, a user may be\nable to edit or delete their old messages they posted in such a private\nstream. An administrator will be able to delete old messages (that they\nhad access to) from the private stream.\n\nWe fix this by fixing the logic in has_message_access (which lies at the\ncore of our message access checks - access_message() and\nbulk_access_messages())\nto not rely on only a UserMessage row for checking access but also\nverify stream type and subscription status.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c908b518ef15eee4fb768cd015e8e72261d98e93", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a30cd12433e3a9f7764763ba38849ac635da5283", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "c908b518ef15eee4fb768cd015e8e72261d98e93", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c908b518ef15eee4fb768cd015e8e72261d98e93" + }, + { + "reference_id": "a30cd12433e3a9f7764763ba38849ac635da5283", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a30cd12433e3a9f7764763ba38849ac635da5283" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-33186", + "aliases": [], + "summary": "3ca131743b00f42bad8edbac4ef92656d954c629:CVE-2023-33186: Fix topic tooltip cross-site scripting vulnerability.\n\nCommit 903dbda79bd176702d3175a7c8a5450a64b6eccb (#25370) introduced a\ncross-site scripting vulnerability in the tooltips for the stream and\ntopic in the recipient bar. An attacker who can send messages could\nmaliciously craft a topic for the message, such that a victim who\nhovers the tooltip for that topic in their message feed triggers\nexecution of JavaScript code controlled by the attacker.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3ca131743b00f42bad8edbac4ef92656d954c629", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "3ca131743b00f42bad8edbac4ef92656d954c629", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-47642", + "aliases": [], + "summary": "d4fb244d2d93d014e26bec1d32fe4f225289e2c6:CVE-2023-47642: Invalid metadata access for formerly subscribed streams.\n\nIt was discovered by the Zulip development team that active users who\nhad previously been subscribed to a stream incorrectly continued being\nable to use the Zulip API to access metadata for that stream. As a\nresult, users who had been removed from a stream, but still had an\naccount in the organization, could still view metadata for that\nstream (including the stream name, description, settings, and an email\naddress used to send emails into the stream via the incoming email\nintegration). This potentially allowed users to see changes to a\nstream\u2019s metadata after they had lost access to the stream.\n\nThis bug was present in all Zulip releases prior to today's Zulip\nServer 7.5.\n6336322d2f9bbccaacfc80cba83a3c62eefd5737:CVE-2023-47642: Invalid metadata access for formerly subscribed streams.\n\nIt was discovered by the Zulip development team that active users who\nhad previously been subscribed to a stream incorrectly continued being\nable to use the Zulip API to access metadata for that stream. As a\nresult, users who had been removed from a stream, but still had an\naccount in the organization, could still view metadata for that\nstream (including the stream name, description, settings, and an email\naddress used to send emails into the stream via the incoming email\nintegration). This potentially allowed users to see changes to a\nstream\u2019s metadata after they had lost access to the stream.\n\nThis bug was present in all Zulip releases prior to today's Zulip\nServer 7.5.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "d4fb244d2d93d014e26bec1d32fe4f225289e2c6", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6336322d2f9bbccaacfc80cba83a3c62eefd5737", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "d4fb244d2d93d014e26bec1d32fe4f225289e2c6", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/d4fb244d2d93d014e26bec1d32fe4f225289e2c6" + }, + { + "reference_id": "6336322d2f9bbccaacfc80cba83a3c62eefd5737", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-21630", + "aliases": [], + "summary": "ae0aba064ff32fd75260f98da19213684d0717b3:CVE-2024-21630: Check permission to subscribe others using invite link.\n\nThis commit updates the API to check the permission to subscribe other\nusers while creating multi-use invites. The API will raise error if\nthe user passes the \"stream_ids\" parameter (even when it contains only\ndefault streams) and the calling user does not have permission to\nsubscribe others to streams.\n\nWe did not add this before as we only allowed admins to create\nmultiuse invites, but now we have added a setting which can be used\nto allow users with other roles as well to create multiuse invites.\n0df7bd71f32f3b772e2646c6ab0d60c9b610addf:CVE-2024-21630: Check permission to subscribe others using invite link.\n\nThis commit updates the API to check the permission to subscribe other\nusers while creating multi-use invites. The API will raise error if\nthe user passes the \"stream_ids\" parameter (even when it contains only\ndefault streams) and the calling user does not have permission to\nsubscribe others to streams.\n\nWe did not add this before as we only allowed admins to create\nmultiuse invites, but now we have added a setting which can be used\nto allow users with other roles as well to create multiuse invites.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "ae0aba064ff32fd75260f98da19213684d0717b3", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "0df7bd71f32f3b772e2646c6ab0d60c9b610addf", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "ae0aba064ff32fd75260f98da19213684d0717b3", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/ae0aba064ff32fd75260f98da19213684d0717b3" + }, + { + "reference_id": "0df7bd71f32f3b772e2646c6ab0d60c9b610addf", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/0df7bd71f32f3b772e2646c6ab0d60c9b610addf" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-27286", + "aliases": [], + "summary": "cf8b9adad48dced388ad0cff9d5ab6ea5c326302:CVE-2024-27286: Delete dangling UserMessage rows.\n\nThis cleans up dangling UserMessage rows for moved messages which were\naffected by bugs in one of the previous two commits.\n7b1feac06a04df82a0b5625b5166b943060bcfae:CVE-2024-27286: Remove UserMessage rows for non-active Subscriptions.\n\nA user who was no longer subscribed to a private stream kept their\nUserMessage row for a message sent while they were in it; this is\nexpected. However, they _also_ kept that row even if the message was\nmoved to a different private stream that they were also not subscribed\nto. This violates the invariant that users without subscriptions\nnever have UserMessage rows.\ne964536139800b6e419c5fe9f24b52abb508fdab:CVE-2024-27286: Run usermessage modifications even for change_one.\n\nThis `if new_stream is not None` block was improperly indented,\ncausing it to only run if the propagation mode was not `change_one`.\nSince the block controlled creation and deletion of UserMessage rows,\nthis led to messages being improperly still visible to members of the\nold stream if they were being moved from public to private streams.\nClients also failed to receive `delete_message` events, so the\nmessages remained visible in their feeds until they reloaded the\napplication.\n3db1733310ddd944c2e690ba673232345c928eec:CVE-2024-27286: Delete dangling UserMessage rows.\n\nThis cleans up dangling UserMessage rows for moved messages which were\naffected by bugs in one of the previous two commits.\ne3b50fa373847d9238985001a4a15e56d241442e:CVE-2024-27286: Remove UserMessage rows for non-active Subscriptions.\n\nA user who was no longer subscribed to a private stream kept their\nUserMessage row for a message sent while they were in it; this is\nexpected. However, they _also_ kept that row even if the message was\nmoved to a different private stream that they were also not subscribed\nto. This violates the invariant that users without subscriptions\nnever have UserMessage rows.\na4141782ccd6d4e7b0c15f20a875c17623e4b0f7:CVE-2024-27286: Run usermessage modifications even for change_one.\n\nThis `if new_stream is not None` block was improperly indented,\ncausing it to only run if the propagation mode was not `change_one`.\nSince the block controlled creation and deletion of UserMessage rows,\nthis led to messages being improperly still visible to members of the\nold stream if they were being moved from public to private streams.\nClients also failed to receive `delete_message` events, so the\nmessages remained visible in their feeds until they reloaded the\napplication.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "cf8b9adad48dced388ad0cff9d5ab6ea5c326302", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "7b1feac06a04df82a0b5625b5166b943060bcfae", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e964536139800b6e419c5fe9f24b52abb508fdab", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3db1733310ddd944c2e690ba673232345c928eec", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e3b50fa373847d9238985001a4a15e56d241442e", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a4141782ccd6d4e7b0c15f20a875c17623e4b0f7", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "cf8b9adad48dced388ad0cff9d5ab6ea5c326302", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/cf8b9adad48dced388ad0cff9d5ab6ea5c326302" + }, + { + "reference_id": "7b1feac06a04df82a0b5625b5166b943060bcfae", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/7b1feac06a04df82a0b5625b5166b943060bcfae" + }, + { + "reference_id": "e964536139800b6e419c5fe9f24b52abb508fdab", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e964536139800b6e419c5fe9f24b52abb508fdab" + }, + { + "reference_id": "3db1733310ddd944c2e690ba673232345c928eec", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3db1733310ddd944c2e690ba673232345c928eec" + }, + { + "reference_id": "e3b50fa373847d9238985001a4a15e56d241442e", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e3b50fa373847d9238985001a4a15e56d241442e" + }, + { + "reference_id": "a4141782ccd6d4e7b0c15f20a875c17623e4b0f7", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a4141782ccd6d4e7b0c15f20a875c17623e4b0f7" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-56136", + "aliases": [], + "summary": "d1cbb0dd59c1df91c6f24468a1ae13e2d97f155b:CVE-2024-56136: Don't leak information via \"invalid subdomain\" error.\n\nThe bug we're fixing here leaks information by returning an \"invalid\nsubdomain\" error when an attempt is made to log in to user@example.com\non a subdomain X when user@example.com does not exist on X, but does\non another subdomain Y.\n\nThis allows an attacker to determine that a certain email address has an\naccount on the server.\n\nInstead, this should just return a regular authentication error.\nc6334a765b1e6d71760e4a3b32ae5b8367f2ed4d:CVE-2024-56136: Don't leak information via \"invalid subdomain\" error.\n\nThe bug we're fixing here leaks information by returning an \"invalid\nsubdomain\" error when an attempt is made to log in to user@example.com\non a subdomain X when user@example.com does not exist on X, but does\non another subdomain Y.\n\nThis allows an attacker to determine that a certain email address has an\naccount on the server.\n\nInstead, this should just return a regular authentication error.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "d1cbb0dd59c1df91c6f24468a1ae13e2d97f155b", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "d1cbb0dd59c1df91c6f24468a1ae13e2d97f155b", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/d1cbb0dd59c1df91c6f24468a1ae13e2d97f155b" + }, + { + "reference_id": "c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-25195", + "aliases": [], + "summary": "75be449d456d29fef27e9d1828bafa30174284b4:CVE-2025-25195: Only send \"active\" change events to channel subscribers.\n\nThis fixes a bug where private stream event to update stream's\nactive status was sent to all active users instead of just\nits subscribers.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "75be449d456d29fef27e9d1828bafa30174284b4", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "75be449d456d29fef27e9d1828bafa30174284b4", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/75be449d456d29fef27e9d1828bafa30174284b4" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-30368", + "aliases": [], + "summary": "cce3c7ebb194e33a4cf267eb546bbdca14406ac2:realm_export: Restrict deletion to users in the same realm.\n\nThis fixes CVE-2025-30368.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "cce3c7ebb194e33a4cf267eb546bbdca14406ac2", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "cce3c7ebb194e33a4cf267eb546bbdca14406ac2", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/cce3c7ebb194e33a4cf267eb546bbdca14406ac2" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-30369", + "aliases": [], + "summary": "744b7c73827cbb6595cc0bf58fde8e73dc4e96a8:custom_profile_fields: Restrict access to users in the same realm.\n\nThis fixes CVE-2025-30369.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "744b7c73827cbb6595cc0bf58fde8e73dc4e96a8", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "744b7c73827cbb6595cc0bf58fde8e73dc4e96a8", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/744b7c73827cbb6595cc0bf58fde8e73dc4e96a8" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-52559", + "aliases": [], + "summary": "08a17ef22d2a2cdcc1c3b84cb90315d7cb373c1d:CVE-2025-52559: Generate HTML for digest new channels safely.\n\nSigned-off-by: Anders Kaseorg \na274170293f3a17ccd76a3d22bf97cffed8c5d0c:CVE-2025-52559: Generate HTML for digest message sender safely.\n\nSigned-off-by: Anders Kaseorg \nc33b6cae38185d78e44676382bb333235c353fda:CVE-2025-52559: Generate HTML for digest recipient header safely.\n\nSigned-off-by: Anders Kaseorg \n175ec1f365b0db982d6eac9019701cbf6e8bc2f2:CVE-2025-52559: Generate HTML for digest new channels safely.\n\nSigned-off-by: Anders Kaseorg \n1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1:CVE-2025-52559: Generate HTML for digest message sender safely.\n\nSigned-off-by: Anders Kaseorg \n6608c8777254e73a4b540e5e1c4af92e680a55fc:CVE-2025-52559: Generate HTML for digest recipient header safely.\n\nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "08a17ef22d2a2cdcc1c3b84cb90315d7cb373c1d", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "a274170293f3a17ccd76a3d22bf97cffed8c5d0c", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "c33b6cae38185d78e44676382bb333235c353fda", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "175ec1f365b0db982d6eac9019701cbf6e8bc2f2", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6608c8777254e73a4b540e5e1c4af92e680a55fc", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "08a17ef22d2a2cdcc1c3b84cb90315d7cb373c1d", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/08a17ef22d2a2cdcc1c3b84cb90315d7cb373c1d" + }, + { + "reference_id": "a274170293f3a17ccd76a3d22bf97cffed8c5d0c", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/a274170293f3a17ccd76a3d22bf97cffed8c5d0c" + }, + { + "reference_id": "c33b6cae38185d78e44676382bb333235c353fda", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/c33b6cae38185d78e44676382bb333235c353fda" + }, + { + "reference_id": "175ec1f365b0db982d6eac9019701cbf6e8bc2f2", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/175ec1f365b0db982d6eac9019701cbf6e8bc2f2" + }, + { + "reference_id": "1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1" + }, + { + "reference_id": "6608c8777254e73a4b540e5e1c4af92e680a55fc", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6608c8777254e73a4b540e5e1c4af92e680a55fc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2026-24050", + "aliases": [], + "summary": "e6093d9e4788f4d82236d856c5ed7b16767886a7:CVE-2026-24050: Fix HTML injection bugs.\n\nCo-authored-by: Joshua Rogers \nSigned-off-by: Anders Kaseorg ", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "e6093d9e4788f4d82236d856c5ed7b16767886a7", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "e6093d9e4788f4d82236d856c5ed7b16767886a7", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2026-25741", + "aliases": [], + "summary": "bf28c82dc9b1f630fa8e9106358771b20a0040f7:billing: Require billing access to change payment methods.\n\nNon-billing users were mistakenly allowed to change the payment\nmethod.\n\nThis vulnerability was discovered by Sho Odagiri of GMO Cybersecurity\nby Ierae, Inc., and has been assigned CVE-2026-25741.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "bf28c82dc9b1f630fa8e9106358771b20a0040f7", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "bf28c82dc9b1f630fa8e9106358771b20a0040f7", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/bf28c82dc9b1f630fa8e9106358771b20a0040f7" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2026-25742", + "aliases": [], + "summary": "41e23347b5218b3b0397a55176c7d97396735bae:CVE-2026-25742: Restrict topic access when spectator access is disabled.\n\nLogged-out users were able to access topics using the\n\"GET /users/me/{stream.id}/topics\" endpoint for web-public streams\neven after spectator access was disabled for the realm. This commit\nfixes it so that logged-out users cannot access topics for a web-public\nstream after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added server and\nrealm level settings to control spectator access.\n\n(cherry picked from commit 6d37f2b07cf2996fee38f02aa7f1dac78a29a077)\n3c045414299680b9f5dca7d76cf6cef6121c0236:CVE-2026-25742: Anonymous file access after disabling spectator access.\n\nLogged-out users were able to access attachments for messages in\nweb-public streams even after spectator access was disabled for the\nrealm. This commit fixes it so that logged-out users cannot access\nattachments after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added support to allow\nspectators access to attachments in web-public channels.\n\n(cherry picked from commit fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84)\n6d37f2b07cf2996fee38f02aa7f1dac78a29a077:CVE-2026-25742: Restrict topic access when spectator access is disabled.\n\nLogged-out users were able to access topics using the\n\"GET /users/me/{stream.id}/topics\" endpoint for web-public streams\neven after spectator access was disabled for the realm. This commit\nfixes it so that logged-out users cannot access topics for a web-public\nstream after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added server and\nrealm level settings to control spectator access.\nfd85f45c2d9af1cd5c44bc3521d5c4ea98102f84:CVE-2026-25742: Anonymous file access after disabling spectator access.\n\nLogged-out users were able to access attachments for messages in\nweb-public streams even after spectator access was disabled for the\nrealm. This commit fixes it so that logged-out users cannot access\nattachments after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added support to allow\nspectators access to attachments in web-public channels.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "41e23347b5218b3b0397a55176c7d97396735bae", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "3c045414299680b9f5dca7d76cf6cef6121c0236", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "6d37f2b07cf2996fee38f02aa7f1dac78a29a077", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "41e23347b5218b3b0397a55176c7d97396735bae", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae" + }, + { + "reference_id": "3c045414299680b9f5dca7d76cf6cef6121c0236", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236" + }, + { + "reference_id": "6d37f2b07cf2996fee38f02aa7f1dac78a29a077", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/6d37f2b07cf2996fee38f02aa7f1dac78a29a077" + }, + { + "reference_id": "fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2026-26058", + "aliases": [], + "summary": "2df49e7750ce3fc49ef1d44b1c4ece654d4b754c:CVE-2026-26058: Protect again path traversal when importing uploads.\n\nDespite this data being untrusted, as it comes from users who can\nmanipulate it, we were trusting the data from records.json without\nsanitizing the paths and filenames - thus allowing path traversal.\n\nOur code should avoid interacting with the unsanitized values at all,\nand we should just load the records and ensure safety of these values\nat the point of ingestion - and pass safe objects further down the\ncodepaths.\n\n(cherry picked from commit 418c57a9517508a5c2ab303902fd6c3f97804ca0)\n418c57a9517508a5c2ab303902fd6c3f97804ca0:CVE-2026-26058: Protect again path traversal when importing uploads.\n\nDespite this data being untrusted, as it comes from users who can\nmanipulate it, we were trusting the data from records.json without\nsanitizing the paths and filenames - thus allowing path traversal.\n\nOur code should avoid interacting with the unsanitized values at all,\nand we should just load the records and ensure safety of these values\nat the point of ingestion - and pass safe objects further down the\ncodepaths.", + "affected_packages": [ + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "2df49e7750ce3fc49ef1d44b1c4ece654d4b754c", + "patch_text": null, + "patch_checksum": null + } + ] + }, + { + "package": { + "type": "github", + "namespace": "zulip", + "name": "zulip", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [ + { + "vcs_url": "https://github.com/zulip/zulip", + "commit_hash": "418c57a9517508a5c2ab303902fd6c3f97804ca0", + "patch_text": null, + "patch_checksum": null + } + ] + } + ], + "references": [ + { + "reference_id": "2df49e7750ce3fc49ef1d44b1c4ece654d4b754c", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/2df49e7750ce3fc49ef1d44b1c4ece654d4b754c" + }, + { + "reference_id": "418c57a9517508a5c2ab303902fd6c3f97804ca0", + "reference_type": "commit", + "url": "https://github.com/zulip/zulip/commit/418c57a9517508a5c2ab303902fd6c3f97804ca0" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/vcs_collector/expected_pr_issues_output.json b/vulnerabilities/tests/test_data/vcs_collector/expected_pr_issues_output.json new file mode 100644 index 000000000..f827d411f --- /dev/null +++ b/vulnerabilities/tests/test_data/vcs_collector/expected_pr_issues_output.json @@ -0,0 +1,1712 @@ +[ + { + "advisory_id": "CVE-2007-4559", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2007-4559", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/44823" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2012-5568", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2012-5568", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/13449" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2015-1793", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2015-1793", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/2178" + }, + { + "reference_id": "CVE-2015-1793", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/2141" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2015-3194", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2015-3194", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/4133" + }, + { + "reference_id": "CVE-2015-3194", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/4132" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2015-7384", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2015-7384", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/3138" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2015-8027", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2015-8027", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/4029" + }, + { + "reference_id": "CVE-2015-8027", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/4156" + }, + { + "reference_id": "CVE-2015-8027", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/4155" + }, + { + "reference_id": "CVE-2015-8027", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/4154" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-2107", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-2107", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/6622" + }, + { + "reference_id": "CVE-2016-2107", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/6621" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-2216", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-2216", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/5754" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-5180", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-5180", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/12532" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/11728" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/9037" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/8849" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/9153" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/9147" + }, + { + "reference_id": "CVE-2016-5180", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/9154" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-7052", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-7052", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/8790" + }, + { + "reference_id": "CVE-2016-7052", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/8789" + }, + { + "reference_id": "CVE-2016-7052", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/8786" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-7055", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-7055", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/12691" + }, + { + "reference_id": "CVE-2016-7055", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/9594" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2016-8625", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2016-8625", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/25679" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-1000381", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-1000381", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/19939" + }, + { + "reference_id": "CVE-2017-1000381", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/13897" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-14919", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-14919", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/16547" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-15896", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-15896", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/17533" + }, + { + "reference_id": "CVE-2017-15896", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/17534" + }, + { + "reference_id": "CVE-2017-15896", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/17531" + }, + { + "reference_id": "CVE-2017-15896", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/17532" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-3732", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-3732", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/11021" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-3736", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-3736", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/16691" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2017-3737", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2017-3737", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/17526" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-0732", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-0732", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/22187" + }, + { + "reference_id": "CVE-2018-0732", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/21344" + }, + { + "reference_id": "CVE-2018-0732", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/21343" + }, + { + "reference_id": "CVE-2018-0732", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/21282" + }, + { + "reference_id": "CVE-2018-0732", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/21400" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-0734", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-0734", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/24353" + }, + { + "reference_id": "CVE-2018-0734", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/23965" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-0735", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-0735", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/24370" + }, + { + "reference_id": "CVE-2018-0735", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/23950" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-0737", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-0737", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/20090" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-12121", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-12121", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/24692" + }, + { + "reference_id": "CVE-2018-12121", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/24990" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-12122", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-12122", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/24760" + }, + { + "reference_id": "CVE-2018-12122", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/24803" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-5407", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-5407", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/24352" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-6341", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-6341", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/24735" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-7159", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-7159", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/25514" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2018-7166", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2018-7166", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/27298" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-13050", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2019-13050", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/29531" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-1552", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2019-1552", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29455" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-9511", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2019-9511", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29133" + }, + { + "reference_id": "CVE-2019-9511", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29151" + }, + { + "reference_id": "CVE-2019-9511", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29148" + }, + { + "reference_id": "CVE-2019-9511", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29152" + }, + { + "reference_id": "CVE-2019-9511", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/29150" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-9518", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2019-9518", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/37875" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2019-9636", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2019-9636", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/38631" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-10531", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2020-10531", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/33572" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-7598", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2020-7598", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/32296" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2020-7774", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2020-7774", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/37918" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-21148", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-21148", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/37074" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-22930", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-22930", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/40306" + }, + { + "reference_id": "CVE-2021-22930", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/39500" + }, + { + "reference_id": "CVE-2021-22930", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/39534" + }, + { + "reference_id": "CVE-2021-22930", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/39466" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-22940", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-22940", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/40308" + }, + { + "reference_id": "CVE-2021-22940", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/40319" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-33503", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-33503", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/45570" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-3450", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-3450", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/38082" + }, + { + "reference_id": "CVE-2021-3450", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/38085" + }, + { + "reference_id": "CVE-2021-3450", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/38083" + }, + { + "reference_id": "CVE-2021-3450", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/38084" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-3672", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-3672", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/40231" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-3807", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-3807", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/41039" + }, + { + "reference_id": "CVE-2021-3807", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/40853" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-4044", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-4044", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/41167" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-44228", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-44228", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/41191" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2021-44906", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2021-44906", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/42451" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-0778", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-0778", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/42441" + }, + { + "reference_id": "CVE-2022-0778", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/42385" + }, + { + "reference_id": "CVE-2022-0778", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/42363" + }, + { + "reference_id": "CVE-2022-0778", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/42381" + }, + { + "reference_id": "CVE-2022-0778", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/42371" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-21449", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-21449", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/42863" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-21824", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-21824", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/42282" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-23491", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-23491", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/51613" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-25881", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-25881", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/46555" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-25883", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-25883", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/48835" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-32215", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-32215", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/43946" + }, + { + "reference_id": "CVE-2022-32215", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/43893" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-32222", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-32222", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/46150" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2022-38900", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2022-38900", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/46026" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-0464", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-0464", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/47443" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-3420", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-3420", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/50077" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-39331", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-39331", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/50469" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-43804", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-43804", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/51647" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-44487", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-44487", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/50342" + }, + { + "reference_id": "CVE-2023-44487", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/51074" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-45143", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-45143", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/50153" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-46809", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-46809", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/55628" + }, + { + "reference_id": "CVE-2023-46809", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/52196" + }, + { + "reference_id": "CVE-2023-46809", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/55629" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-4807", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-4807", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/49879" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2023-5363", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2023-5363", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/50395" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-13176", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-13176", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/59548" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-21538", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-21538", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/58242" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-24806", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-24806", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/51737" + }, + { + "reference_id": "CVE-2024-24806", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/51702" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-27980", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-27980", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/52543" + }, + { + "reference_id": "CVE-2024-27980", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/52505" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-28863", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-28863", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/53214" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-4761", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-4761", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/54598" + }, + { + "reference_id": "CVE-2024-4761", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/54597" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2024-4947", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2024-4947", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/54793" + }, + { + "reference_id": "CVE-2024-4947", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/54795" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-15467", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-15467", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/61887" + }, + { + "reference_id": "CVE-2025-15467", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/61755" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-23085", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-23085", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/57644" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-32955", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-32955", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/58109" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-5889", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-5889", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/59253" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-59465", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-59465", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/61661" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-59466", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-59466", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/62125" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-64756", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-64756", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/61085" + }, + { + "reference_id": "CVE-2025-64756", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/60792" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2025-9230", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2025-9230", + "reference_type": "Issues", + "url": "https://github.com/nodejs/node/issues/60193" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + }, + { + "advisory_id": "CVE-2026-1525", + "aliases": [], + "summary": "", + "affected_packages": [], + "references": [ + { + "reference_id": "CVE-2026-1525", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/62250" + }, + { + "reference_id": "CVE-2026-1525", + "reference_type": "PRs", + "url": "https://github.com/nodejs/node/pull/62247" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://mocked.url/advisory" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/vcs_collector/fix_commits_test_repo.json b/vulnerabilities/tests/test_data/vcs_collector/fix_commits_test_repo.json new file mode 100644 index 000000000..4b5645d33 --- /dev/null +++ b/vulnerabilities/tests/test_data/vcs_collector/fix_commits_test_repo.json @@ -0,0 +1,242 @@ +{ + "vcs_url": "https://github.com/zulip/zulip", + "vulnerabilities": { + "CVE-2026-26058": { + "2df49e7750ce3fc49ef1d44b1c4ece654d4b754c": "CVE-2026-26058: Protect again path traversal when importing uploads.\n\nDespite this data being untrusted, as it comes from users who can\nmanipulate it, we were trusting the data from records.json without\nsanitizing the paths and filenames - thus allowing path traversal.\n\nOur code should avoid interacting with the unsanitized values at all,\nand we should just load the records and ensure safety of these values\nat the point of ingestion - and pass safe objects further down the\ncodepaths.\n\n(cherry picked from commit 418c57a9517508a5c2ab303902fd6c3f97804ca0)", + "418c57a9517508a5c2ab303902fd6c3f97804ca0": "CVE-2026-26058: Protect again path traversal when importing uploads.\n\nDespite this data being untrusted, as it comes from users who can\nmanipulate it, we were trusting the data from records.json without\nsanitizing the paths and filenames - thus allowing path traversal.\n\nOur code should avoid interacting with the unsanitized values at all,\nand we should just load the records and ensure safety of these values\nat the point of ingestion - and pass safe objects further down the\ncodepaths." + }, + "CVE-2026-25742": { + "41e23347b5218b3b0397a55176c7d97396735bae": "CVE-2026-25742: Restrict topic access when spectator access is disabled.\n\nLogged-out users were able to access topics using the\n\"GET /users/me/{stream.id}/topics\" endpoint for web-public streams\neven after spectator access was disabled for the realm. This commit\nfixes it so that logged-out users cannot access topics for a web-public\nstream after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added server and\nrealm level settings to control spectator access.\n\n(cherry picked from commit 6d37f2b07cf2996fee38f02aa7f1dac78a29a077)", + "3c045414299680b9f5dca7d76cf6cef6121c0236": "CVE-2026-25742: Anonymous file access after disabling spectator access.\n\nLogged-out users were able to access attachments for messages in\nweb-public streams even after spectator access was disabled for the\nrealm. This commit fixes it so that logged-out users cannot access\nattachments after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added support to allow\nspectators access to attachments in web-public channels.\n\n(cherry picked from commit fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84)", + "6d37f2b07cf2996fee38f02aa7f1dac78a29a077": "CVE-2026-25742: Restrict topic access when spectator access is disabled.\n\nLogged-out users were able to access topics using the\n\"GET /users/me/{stream.id}/topics\" endpoint for web-public streams\neven after spectator access was disabled for the realm. This commit\nfixes it so that logged-out users cannot access topics for a web-public\nstream after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added server and\nrealm level settings to control spectator access.", + "fd85f45c2d9af1cd5c44bc3521d5c4ea98102f84": "CVE-2026-25742: Anonymous file access after disabling spectator access.\n\nLogged-out users were able to access attachments for messages in\nweb-public streams even after spectator access was disabled for the\nrealm. This commit fixes it so that logged-out users cannot access\nattachments after spectator acess is disabled.\n\nThis bug was introduced in Zulip 5.0 when we added support to allow\nspectators access to attachments in web-public channels." + }, + "CVE-2026-25741": { + "bf28c82dc9b1f630fa8e9106358771b20a0040f7": "billing: Require billing access to change payment methods.\n\nNon-billing users were mistakenly allowed to change the payment\nmethod.\n\nThis vulnerability was discovered by Sho Odagiri of GMO Cybersecurity\nby Ierae, Inc., and has been assigned CVE-2026-25741." + }, + "CVE-2026-24050": { + "e6093d9e4788f4d82236d856c5ed7b16767886a7": "CVE-2026-24050: Fix HTML injection bugs.\n\nCo-authored-by: Joshua Rogers \nSigned-off-by: Anders Kaseorg " + }, + "CVE-2025-52559": { + "08a17ef22d2a2cdcc1c3b84cb90315d7cb373c1d": "CVE-2025-52559: Generate HTML for digest new channels safely.\n\nSigned-off-by: Anders Kaseorg ", + "a274170293f3a17ccd76a3d22bf97cffed8c5d0c": "CVE-2025-52559: Generate HTML for digest message sender safely.\n\nSigned-off-by: Anders Kaseorg ", + "c33b6cae38185d78e44676382bb333235c353fda": "CVE-2025-52559: Generate HTML for digest recipient header safely.\n\nSigned-off-by: Anders Kaseorg ", + "175ec1f365b0db982d6eac9019701cbf6e8bc2f2": "CVE-2025-52559: Generate HTML for digest new channels safely.\n\nSigned-off-by: Anders Kaseorg ", + "1a8429e338ff53bdcc4b42e7e71b6fffdd84fcd1": "CVE-2025-52559: Generate HTML for digest message sender safely.\n\nSigned-off-by: Anders Kaseorg ", + "6608c8777254e73a4b540e5e1c4af92e680a55fc": "CVE-2025-52559: Generate HTML for digest recipient header safely.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2025-30369": { + "744b7c73827cbb6595cc0bf58fde8e73dc4e96a8": "custom_profile_fields: Restrict access to users in the same realm.\n\nThis fixes CVE-2025-30369.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2025-30368": { + "cce3c7ebb194e33a4cf267eb546bbdca14406ac2": "realm_export: Restrict deletion to users in the same realm.\n\nThis fixes CVE-2025-30368.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2025-25195": { + "75be449d456d29fef27e9d1828bafa30174284b4": "CVE-2025-25195: Only send \"active\" change events to channel subscribers.\n\nThis fixes a bug where private stream event to update stream's\nactive status was sent to all active users instead of just\nits subscribers." + }, + "CVE-2024-56136": { + "d1cbb0dd59c1df91c6f24468a1ae13e2d97f155b": "CVE-2024-56136: Don't leak information via \"invalid subdomain\" error.\n\nThe bug we're fixing here leaks information by returning an \"invalid\nsubdomain\" error when an attempt is made to log in to user@example.com\non a subdomain X when user@example.com does not exist on X, but does\non another subdomain Y.\n\nThis allows an attacker to determine that a certain email address has an\naccount on the server.\n\nInstead, this should just return a regular authentication error.", + "c6334a765b1e6d71760e4a3b32ae5b8367f2ed4d": "CVE-2024-56136: Don't leak information via \"invalid subdomain\" error.\n\nThe bug we're fixing here leaks information by returning an \"invalid\nsubdomain\" error when an attempt is made to log in to user@example.com\non a subdomain X when user@example.com does not exist on X, but does\non another subdomain Y.\n\nThis allows an attacker to determine that a certain email address has an\naccount on the server.\n\nInstead, this should just return a regular authentication error." + }, + "CVE-2024-27286": { + "cf8b9adad48dced388ad0cff9d5ab6ea5c326302": "CVE-2024-27286: Delete dangling UserMessage rows.\n\nThis cleans up dangling UserMessage rows for moved messages which were\naffected by bugs in one of the previous two commits.", + "7b1feac06a04df82a0b5625b5166b943060bcfae": "CVE-2024-27286: Remove UserMessage rows for non-active Subscriptions.\n\nA user who was no longer subscribed to a private stream kept their\nUserMessage row for a message sent while they were in it; this is\nexpected. However, they _also_ kept that row even if the message was\nmoved to a different private stream that they were also not subscribed\nto. This violates the invariant that users without subscriptions\nnever have UserMessage rows.", + "e964536139800b6e419c5fe9f24b52abb508fdab": "CVE-2024-27286: Run usermessage modifications even for change_one.\n\nThis `if new_stream is not None` block was improperly indented,\ncausing it to only run if the propagation mode was not `change_one`.\nSince the block controlled creation and deletion of UserMessage rows,\nthis led to messages being improperly still visible to members of the\nold stream if they were being moved from public to private streams.\nClients also failed to receive `delete_message` events, so the\nmessages remained visible in their feeds until they reloaded the\napplication.", + "3db1733310ddd944c2e690ba673232345c928eec": "CVE-2024-27286: Delete dangling UserMessage rows.\n\nThis cleans up dangling UserMessage rows for moved messages which were\naffected by bugs in one of the previous two commits.", + "e3b50fa373847d9238985001a4a15e56d241442e": "CVE-2024-27286: Remove UserMessage rows for non-active Subscriptions.\n\nA user who was no longer subscribed to a private stream kept their\nUserMessage row for a message sent while they were in it; this is\nexpected. However, they _also_ kept that row even if the message was\nmoved to a different private stream that they were also not subscribed\nto. This violates the invariant that users without subscriptions\nnever have UserMessage rows.", + "a4141782ccd6d4e7b0c15f20a875c17623e4b0f7": "CVE-2024-27286: Run usermessage modifications even for change_one.\n\nThis `if new_stream is not None` block was improperly indented,\ncausing it to only run if the propagation mode was not `change_one`.\nSince the block controlled creation and deletion of UserMessage rows,\nthis led to messages being improperly still visible to members of the\nold stream if they were being moved from public to private streams.\nClients also failed to receive `delete_message` events, so the\nmessages remained visible in their feeds until they reloaded the\napplication." + }, + "CVE-2024-21630": { + "ae0aba064ff32fd75260f98da19213684d0717b3": "CVE-2024-21630: Check permission to subscribe others using invite link.\n\nThis commit updates the API to check the permission to subscribe other\nusers while creating multi-use invites. The API will raise error if\nthe user passes the \"stream_ids\" parameter (even when it contains only\ndefault streams) and the calling user does not have permission to\nsubscribe others to streams.\n\nWe did not add this before as we only allowed admins to create\nmultiuse invites, but now we have added a setting which can be used\nto allow users with other roles as well to create multiuse invites.", + "0df7bd71f32f3b772e2646c6ab0d60c9b610addf": "CVE-2024-21630: Check permission to subscribe others using invite link.\n\nThis commit updates the API to check the permission to subscribe other\nusers while creating multi-use invites. The API will raise error if\nthe user passes the \"stream_ids\" parameter (even when it contains only\ndefault streams) and the calling user does not have permission to\nsubscribe others to streams.\n\nWe did not add this before as we only allowed admins to create\nmultiuse invites, but now we have added a setting which can be used\nto allow users with other roles as well to create multiuse invites." + }, + "CVE-2023-47642": { + "d4fb244d2d93d014e26bec1d32fe4f225289e2c6": "CVE-2023-47642: Invalid metadata access for formerly subscribed streams.\n\nIt was discovered by the Zulip development team that active users who\nhad previously been subscribed to a stream incorrectly continued being\nable to use the Zulip API to access metadata for that stream. As a\nresult, users who had been removed from a stream, but still had an\naccount in the organization, could still view metadata for that\nstream (including the stream name, description, settings, and an email\naddress used to send emails into the stream via the incoming email\nintegration). This potentially allowed users to see changes to a\nstream\u2019s metadata after they had lost access to the stream.\n\nThis bug was present in all Zulip releases prior to today's Zulip\nServer 7.5.", + "6336322d2f9bbccaacfc80cba83a3c62eefd5737": "CVE-2023-47642: Invalid metadata access for formerly subscribed streams.\n\nIt was discovered by the Zulip development team that active users who\nhad previously been subscribed to a stream incorrectly continued being\nable to use the Zulip API to access metadata for that stream. As a\nresult, users who had been removed from a stream, but still had an\naccount in the organization, could still view metadata for that\nstream (including the stream name, description, settings, and an email\naddress used to send emails into the stream via the incoming email\nintegration). This potentially allowed users to see changes to a\nstream\u2019s metadata after they had lost access to the stream.\n\nThis bug was present in all Zulip releases prior to today's Zulip\nServer 7.5." + }, + "CVE-2023-32678": { + "c908b518ef15eee4fb768cd015e8e72261d98e93": "CVE-2023-32678: Prevent unauthorized editing/deletion in priv streams.\n\nUsers who used to be subscribed to a private stream and have been\nremoved from it since retain the ability to edit messages/topics, and\ndelete messages that they used to have access to, if other relevant\norganization permissions allow these actions. For example, a user may be\nable to edit or delete their old messages they posted in such a private\nstream. An administrator will be able to delete old messages (that they\nhad access to) from the private stream.\n\nWe fix this by fixing the logic in has_message_access (which lies at the\ncore of our message access checks - access_message() and\nbulk_access_messages())\nto not rely on only a UserMessage row for checking access but also\nverify stream type and subscription status.", + "a30cd12433e3a9f7764763ba38849ac635da5283": "CVE-2023-32678: Prevent unauthorized editing/deletion in priv streams.\n\nUsers who used to be subscribed to a private stream and have been\nremoved from it since retain the ability to edit messages/topics, and\ndelete messages that they used to have access to, if other relevant\norganization permissions allow these actions. For example, a user may be\nable to edit or delete their old messages they posted in such a private\nstream. An administrator will be able to delete old messages (that they\nhad access to) from the private stream.\n\nWe fix this by fixing the logic in has_message_access (which lies at the\ncore of our message access checks - access_message() and\nbulk_access_messages())\nto not rely on only a UserMessage row for checking access but also\nverify stream type and subscription status." + }, + "CVE-2023-33186": { + "3ca131743b00f42bad8edbac4ef92656d954c629": "CVE-2023-33186: Fix topic tooltip cross-site scripting vulnerability.\n\nCommit 903dbda79bd176702d3175a7c8a5450a64b6eccb (#25370) introduced a\ncross-site scripting vulnerability in the tooltips for the stream and\ntopic in the recipient bar. An attacker who can send messages could\nmaliciously craft a topic for the message, such that a victim who\nhovers the tooltip for that topic in their message feed triggers\nexecution of JavaScript code controlled by the attacker.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2023-32677": { + "4c4caa7be46aaed9c6c355307ab38ae99cf1c6d9": "CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting. The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams.", + "7c2693a2c64904d1d0af8503b57763943648cbe5": "CVE-2023-32677: Check permission to subscribe other users in invites.\n\nThis commit updates the API to check the permission to subscribe other\nusers while inviting. The API will error if the user passes the\n\"stream_ids\" parameter (even when it contains only default streams)\nand the calling user does not having permission to subscribe others to\nstreams.\n\nFor users who do not have permission to subscribe others, the\ninvitee will be subscribed to default streams at the time of\naccepting the invite.\n\nThere is no change for multiuse invites, since only admins are allowed\nto send them, and admins always have the permission to subscribe\nothers to streams." + }, + "CVE-2023-28623": { + "a23b077b79cae11757fb97f8d4e174af153c7104": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled.", + "3df1b4dd7c210c21deb6f829df19412b74573f8d": "CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.\n\nSince 74dd21c8fa13 in Zulip Server 2.1.0, if:\n- ZulipLDAPAuthBackend and an external authentication backend (any aside\n of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones\n enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py\n- The organization permissions don't require invitations to join\n\n...then an attacker can create a new account in the organization with\nan arbitrary email address in their control that's not in the\norganization's LDAP directory.\n\nThe impact is limited to installations which have the specific\ncombination of authentication backends described above, in addition to\nhaving the \"Invitations are required for joining this organization\norganization\" permission disabled." + }, + "CVE-2023-22735": { + "2f6c5a883e106aa82a570d3d1f243993284b70f3": "CVE-2023-22735: Provide the Content-Disposition header from S3.\n\nThe Content-Type of user-provided uploads was provided by the browser\nat initial upload time, and stored in S3; however, 04cf68b45ebb\nswitched to determining the Content-Disposition merely from the\nfilename. This makes uploads vulnerable to a stored XSS, wherein a\nfile uploaded with a content-type of `text/html` and an extension of\n`.png` would be served to browsers as `Content-Disposition: inline`,\nwhich is unsafe.\n\nThe `Content-Security-Policy` headers in the previous commit mitigate\nthis, but only for browsers which support them.\n\nRevert parts of 04cf68b45ebb, specifically by allowing S3 to provide\nthe Content-Disposition header, and using the\n`ResponseContentDisposition` argument when necessary to override it to\n`attachment`. Because we expect S3 responses to vary based on this\nargument, we include it in the cache key; since the query parameter\nhas dashes in it, we can't use use the helper `$arg_` variables, and\nmust parse it from the query parameters manually.\n\nAdding the disposition may decrease the cache hit rate somewhat, but\ndownloads are infrequent enough that it is unlikely to have a\nnoticeable effect. We take care to not adjust the cache key for\nrequests which do not specify the disposition.", + "36e97f8121a19a7955e666d24a80ea2cf3d0b75a": "CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data.\n\nThis was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this\ncontent is fundamentally untrusted, it must be served with\n`Content-Security-Policy` headers in order to be safe. These headers\nwere not provided previously for S3 content because it was served from\nthe S3 domain.\n\nThis mitigates content served from Zulip which could be a stored XSS,\nbut only in browsers which support Content-Security-Policy headers;\nsee subsequent commit for the complete solution." + }, + "CVE-2022-36048": { + "4a61e36def4ae7349dc7b39f2a9848505389cf6a": "CVE-2022-36048: Rewrite only specific local links to relative.\n\nDue to mismatches between the URL parsers in Python and browsers, it\nwas possible to hoodwink rewrite_local_links_to_relative into\ngenerating links that browsers would interpret as absolute.\n\nSigned-off-by: Anders Kaseorg ", + "b12a5be4a09d46653b062bea35a52433778a8a43": "CVE-2022-36048: Rewrite only specific local links to relative.\n\nDue to mismatches between the URL parsers in Python and browsers, it\nwas possible to hoodwink rewrite_local_links_to_relative into\ngenerating links that browsers would interpret as absolute.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2022-31168": { + "751b2a03e565e9eb02ffe923b7c24ac73d604034": "CVE-2022-31168: Fix authorization check for changing bot roles.\n\nDue to an incorrect authorization check in Zulip Server 5.4 and\nearlier, a member of an organization could craft an API call that\ngrants organization administrator privileges to one of their bots.\n\nSigned-off-by: Anders Kaseorg ", + "c9f6830ba6d30f01606d9876d239c77b702b8c38": "CVE-2022-31168: Fix authorization check for changing bot roles.\n\nDue to an incorrect authorization check in Zulip Server 5.4 and\nearlier, a member of an organization could craft an API call that\ngrants organization administrator privileges to one of their bots.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2022-31134": { + "b35268e6bb9e07ef55e0a266280960930049c10a": "CVE-2022-31134: Exclude private attachments from realm exports.\n\nZulip Server 2.1.0 and above have a UI tool, accessible only to server\nowners and server administrators, which provides a way to download a\n\u201cpublic data\u201d export. While this export tool is only accessible to\nadministrators, in many configurations server administrators are not\nexpected to have access to private messages and private\nstreams. However, the \u201cpublic data\u201d export which administrators could\ngenerate contained the attachment contents for all attachments, even\nthose from private messages and streams.\n\nSigned-off-by: Anders Kaseorg ", + "c6a590328014c9a25d88ca7789f5f657a21a52ac": "CVE-2022-31134: Exclude private attachments from realm exports.\n\nZulip Server 2.1.0 and above have a UI tool, accessible only to server\nowners and server administrators, which provides a way to download a\n\u201cpublic data\u201d export. While this export tool is only accessible to\nadministrators, in many configurations server administrators are not\nexpected to have access to private messages and private\nstreams. However, the \u201cpublic data\u201d export which administrators could\ngenerate contained the attachment contents for all attachments, even\nthose from private messages and streams.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2022-31017": { + "20f9293f1f5a95c17ba82cfcd24dc182475d66a8": "CVE-2022-31017: Fix edit event exposure in protected-history streams.\n\nWhen editing an old message in a private stream with protected\nhistory, the server would incorrectly send an API event including the\nedited message to all of the stream\u2019s current subscribers, including\nthose who should not have access to the old message. This API event is\nignored by official clients, so it could only be observed by a user\nusing a modified client or their browser\u2019s developer tools.\n\nSigned-off-by: Anders Kaseorg ", + "b031537fe98525b22152bfa04a18734ad08c5362": "CVE-2022-31017: Fix edit event exposure in protected-history streams.\n\nWhen editing an old message in a private stream with protected\nhistory, the server would incorrectly send an API event including the\nedited message to all of the stream\u2019s current subscribers, including\nthose who should not have access to the old message. This API event is\nignored by official clients, so it could only be observed by a user\nusing a modified client or their browser\u2019s developer tools.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2022-29170": { + "4a5e5307435db9dd7024d4cc8b15727d27d1b772": "puppet: Upgrade Grafana to 8.5.3, for CVE-2022-29170." + }, + "CVE-2022-24751": { + "62ba8e455d8f460001d9fb486a6dabfd1ed67717": "CVE-2022-24751: Clear sessions outside of the transaction.\n\nClearing the sessions inside the transaction makes Zulip vulnerable to\na narrow window where the deleted session has not yet been committed,\nbut has been removed from the memcached cache. During this window, a\nrequest with the session-id which has just been deleted can\nsuccessfully re-fill the memcached cache, as the in-database delete is\nnot yet committed, and thus not yet visible. After the delete\ntransaction commits, the cache will be left with a cached session,\nwhich allows further site access until it expires (after\nSESSION_COOKIE_AGE seconds), is ejected from the cache due to memory\npressure, or the server is upgraded.\n\nMove the session deletion outside of the transaction.\n\nBecause the testsuite runs inside of a transaction, it is impossible\nto test this is CI; the testsuite uses the non-caching\n`django.contrib.sessions.backends.db` backend, regardless. The test\nadded in this commit thus does not fail before this commit; it is\nmerely a base expression that the session should be deleted somehow,\nand does not exercise the assert added in the previous commit.", + "e6eace307ef435eec3395c99247155efed9219e4": "CVE-2022-24751: Clear sessions outside of the transaction.\n\nClearing the sessions inside the transaction makes Zulip vulnerable to\na narrow window where the deleted session has not yet been committed,\nbut has been removed from the memcached cache. During this window, a\nrequest with the session-id which has just been deleted can\nsuccessfully re-fill the memcached cache, as the in-database delete is\nnot yet committed, and thus not yet visible. After the delete\ntransaction commits, the cache will be left with a cached session,\nwhich allows further site access until it expires (after\nSESSION_COOKIE_AGE seconds), is ejected from the cache due to memory\npressure, or the server is upgraded.\n\nMove the session deletion outside of the transaction.\n\nBecause the testsuite runs inside of a transaction, it is impossible\nto test this is CI; the testsuite uses the non-caching\n`django.contrib.sessions.backends.db` backend, regardless. The test\nadded in this commit thus does not fail before this commit; it is\nmerely a base expression that the session should be deleted somehow,\nand does not exercise the assert added in the previous commit." + }, + "CVE-2022-23656": { + "e090027adcbf62737d5b1f83a9618a9500a49321": "CVE-2022-23656: Fix cross-site scripting vulnerability in tooltips.\n\nAn attacker could maliciously craft a full name for their account and\nsend messages to a topic with several participants; a victim who then\nopens an overflow tooltip including this full name on the recent\ntopics page could trigger execution of JavaScript code controlled by\nthe attacker.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2022-21706": { + "88917019f03860609114082cdc0f31a561503f9e": "CVE-2022-21706: Prevent use of multiuse invites to join other orgs.\n\nThe codepaths for joining an organization via a multi-use invitation\n(accounts_home_from_multiuse_invite and maybe_send_to_registration)\nweren't validating whether\nthe organization the invite was generated for matches the organization\nthe user attempts to join - potentially allowing an attacker with access\nto organization A to generate a multi-use invite and use it to join\norganization B within the same deployment, that they shouldn't have\naccess to.", + "7e991c8c7e59291296fecd3fa38e32d011249952": "CVE-2022-21706: Prevent use of multiuse invites to join other orgs.\n\nThe codepaths for joining an organization via a multi-use invitation\n(accounts_home_from_multiuse_invite and maybe_send_to_registration)\nweren't validating whether\nthe organization the invite was generated for matches the organization\nthe user attempts to join - potentially allowing an attacker with access\nto organization A to generate a multi-use invite and use it to join\norganization B within the same deployment, that they shouldn't have\naccess to." + }, + "CVE-2021-3967": { + "d5db254ca8167995a1654d1c45ffc74b2fade39a": "CVE-2021-3967: Only regenerate the API key by authing with the old key.", + "974c98a45ac78dc8cd9e6b5cefe4d7e32fcdf981": "CVE-2021-3967: Only regenerate the API key by authing with the old key." + }, + "CVE-2021-43799": { + "a5496f4098e3998c9b84e8dc564aa983d6cdf6e8": "CVE-2021-43799: Set a secure Erlang cookie.\n\nThe RabbitMQ docs state ([1]):\n\n RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to\n determine whether they are allowed to communicate with each\n other. [...] The cookie is just a string of alphanumeric\n characters up to 255 characters in size. It is usually stored in a\n local file.\n\n...and goes on to state (emphasis ours):\n\n If the file does not exist, Erlang VM will try to create one with\n a randomly generated value when the RabbitMQ server starts\n up. Using such generated cookie files are **appropriate in\n development environments only.**\n\nThe auto-generated cookie does not use cryptographic sources of\nrandomness, and generates 20 characters of `[A-Z]`. Because of a\nsemi-predictable seed, the entropy of this password is thus less than\nthe idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits\nof entropy, or potentially as low as 20 if the performance of the\nserver is known.\n\nThese sizes are well within the scope of remote brute-force attacks.\n\nOn provision, install, and upgrade, replace the default insecure\n20-character Erlang cookie with a cryptographically secure\n255-character string (the max length allowed).\n\n[1] https://www.rabbitmq.com/clustering.html#erlang-cookie", + "e70588385712e6693a5ebebbdf149205e9f8f842": "CVE-2021-43799: During upgrades, restart rabbitmq if necessary.\n\nCheck if it is listening on a public interface on port 25672, and if\nso shut it down so it can pick up the new configuration.", + "a46f6df91e65ebe9e01237c6777a24459c49cb37": "CVE-2021-43799: Write rabbitmq configuration before starting.\n\nZulip writes a `rabbitmq.config` configuration file which locks down\nRabbitMQ to listen only on localhost:5672, as well as the RabbitMQ\ndistribution port, on localhost:25672.\n\nThe \"distribution port\" is part of Erlang's clustering configuration;\nwhile it is documented that the protocol is fundamentally\ninsecure ([1], [2]) and can result in remote arbitrary execution of\ncode, by default the RabbitMQ configuration on Debian and Ubuntu\nleaves it publicly accessible, with weak credentials.\n\nThe configuration file that Zulip writes, while effective, is only\nwritten _after_ the package has been installed and the service\nstarted, which leaves the port exposed until RabbitMQ or system\nrestart.\n\nEnsure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written\nbefore rabbitmq is installed or starts, and that changes to that file\ntrigger a restart of the service, such that the ports are only ever\nbound to localhost. This does not mitigate existing installs, since\nit does not force a rabbitmq restart.\n\n[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html\n[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system", + "c27324927e95f0f3ecdcec9c6b6e4d795475d538": "CVE-2021-43799: Set a secure Erlang cookie.\n\nThe RabbitMQ docs state ([1]):\n\n RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to\n determine whether they are allowed to communicate with each\n other. [...] The cookie is just a string of alphanumeric\n characters up to 255 characters in size. It is usually stored in a\n local file.\n\n...and goes on to state (emphasis ours):\n\n If the file does not exist, Erlang VM will try to create one with\n a randomly generated value when the RabbitMQ server starts\n up. Using such generated cookie files are **appropriate in\n development environments only.**\n\nThe auto-generated cookie does not use cryptographic sources of\nrandomness, and generates 20 characters of `[A-Z]`. Because of a\nsemi-predictable seed, the entropy of this password is thus less than\nthe idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits\nof entropy, or potentially as low as 20 if the performance of the\nserver is known.\n\nThese sizes are well within the scope of remote brute-force attacks.\n\nOn provision, install, and upgrade, replace the default insecure\n20-character Erlang cookie with a cryptographically secure\n255-character string (the max length allowed).\n\n[1] https://www.rabbitmq.com/clustering.html#erlang-cookie", + "36cebad4c0df355c245821b72c5bfe7b0b095087": "CVE-2021-43799: During upgrades, restart rabbitmq if necessary.\n\nCheck if it is listening on a public interface on port 25672, and if\nso shut it down so it can pick up the new configuration.", + "134a8d43014ad96a5d7f11170046abb5b99dc0a1": "CVE-2021-43799: Write rabbitmq configuration before starting.\n\nZulip writes a `rabbitmq.config` configuration file which locks down\nRabbitMQ to listen only on localhost:5672, as well as the RabbitMQ\ndistribution port, on localhost:25672.\n\nThe \"distribution port\" is part of Erlang's clustering configuration;\nwhile it is documented that the protocol is fundamentally\ninsecure ([1], [2]) and can result in remote arbitrary execution of\ncode, by default the RabbitMQ configuration on Debian and Ubuntu\nleaves it publicly accessible, with weak credentials.\n\nThe configuration file that Zulip writes, while effective, is only\nwritten _after_ the package has been installed and the service\nstarted, which leaves the port exposed until RabbitMQ or system\nrestart.\n\nEnsure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written\nbefore rabbitmq is installed or starts, and that changes to that file\ntrigger a restart of the service, such that the ports are only ever\nbound to localhost. This does not mitigate existing installs, since\nit does not force a rabbitmq restart.\n\n[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html\n[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system" + }, + "CVE-2021-3853": { + "3eb2791c3e9695f7d37ffe84e0c2184fae665cb6": "CVE-2021-3853: Fix HTML escaping in recipient_row.\n\nCommit 44f935695d452cc3fb16845a0c6af710438b153d (#20462) incorrectly\nadded these extra braces while intending to add whitespace control.\nThis triple-brace syntax was asking Handlebars to skip escaping the\nstring.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2021-43813": { + "e4b23daad7601d0c7efc4c59cf68675914228e61": "puppet: Upgrade to Grafana 8.3.2, for CVE-2021-43813." + }, + "CVE-2021-43798": { + "3eae429ab4b573c7712e86687d03f00a4cad755b": "puppet: Upgrade Grafana to 8.3.1, for CVE-2021-43798." + }, + "CVE-2021-43791": { + "a014ef75a3a0ed7f24ebb157632ba58751e732c6": "CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath.\n\nA confirmation link takes a user to the check_prereg_key_and_redirect\nendpoint, before getting redirected to POST to /accounts/register/. The\nproblem was that validation was happening in the check_prereg_key_and_redirect\npart and not in /accounts/register/ - meaning that one could submit an\nexpired confirmation key and be able to register.\n\nWe fix this by moving validation into /accouts/register/.", + "551b38716479ccfc4e6a833e609c12a7bbef46de": "CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath.\n\nA confirmation link takes a user to the check_prereg_key_and_redirect\nendpoint, before getting redirected to POST to /accounts/register/. The\nproblem was that validation was happening in the check_prereg_key_and_redirect\npart and not in /accounts/register/ - meaning that one could submit an\nexpired confirmation key and be able to register.\n\nWe fix this by moving validation into /accouts/register/." + }, + "CVE-2021-41115": { + "db934be0646e3002287c72ba2154a904a4dc42b5": "CVE-2021-41115: Use re2 for user-supplied linkifier patterns.\n\nZulip attempts to validate that the regular expressions that admins\nenter for linkifiers are well-formatted, and only contain a specific\nsubset of regex grammar. The process of checking these\nproperties (via a regex!) can cause denial-of-service via\nbacktracking.\n\nFurthermore, this validation itself does not prevent the creation of\nlinkifiers which themselves cause denial-of-service when they are\nexecuted. As the validator accepts literally anything inside of a\n`(?P...)` block, any quadratic backtracking expression can be\nhidden therein.\n\nSwitch user-provided linkifier patterns to be matched in the Markdown\nprocessor by the `re2` library, which is guaranteed constant-time.\nThis somewhat limits the possible features of the regular\nexpression (notably, look-head and -behind, and back-references);\nhowever, these features had never been advertised as working in the\ncontext of linkifiers.\n\nA migration removes any existing linkifiers which would not function\nunder re2, after printing them for posterity during the upgrade; they\nare unlikely to be common, and are impossible to fix automatically.\n\nThe denial-of-service in the linkifier validator was discovered by\n@erik-krogh and @yoff, as GHSL-2021-118.", + "e2d303c1bb5f538d17dc3d9134bc8858bdece781": "CVE-2021-41115: Use re2 for user-supplied linkifier patterns.\n\nZulip attempts to validate that the regular expressions that admins\nenter for linkifiers are well-formatted, and only contain a specific\nsubset of regex grammar. The process of checking these\nproperties (via a regex!) can cause denial-of-service via\nbacktracking.\n\nFurthermore, this validation itself does not prevent the creation of\nlinkifiers which themselves cause denial-of-service when they are\nexecuted. As the validator accepts literally anything inside of a\n`(?P...)` block, any quadratic backtracking expression can be\nhidden therein.\n\nSwitch user-provided linkifier patterns to be matched in the Markdown\nprocessor by the `re2` library, which is guaranteed constant-time.\nThis somewhat limits the possible features of the regular\nexpression (notably, look-head and -behind, and back-references);\nhowever, these features had never been advertised as working in the\ncontext of linkifiers.\n\nA migration removes any existing linkifiers which would not function\nunder re2, after printing them for posterity during the upgrade; they\nare unlikely to be common, and are impossible to fix automatically.\n\nThe denial-of-service in the linkifier validator was discovered by\n@erik-krogh and @yoff, as GHSL-2021-118." + }, + "CVE-2021-30487": { + "3ba8348c51f09d823096228fae223bffc054efd5": "CVE-2021-30487: Prevent admins from moving topics to disallowed streams.\n\nA bug in the implementation of the topic moving API resulted in\norganization administrators being able to move messages to streams they\nshouldn't be allowed to - private streams they weren't subscribed to and\nstreams in other organization hosted by the same Zulip installation.\n\nIn our current model realm admins can't send messages to private streams\nthey're not subscribed to - and being able move messages to a\nstream effectively allows to send messages to that stream and thus the\ntwo need to be consistent.", + "0101877f95d2ff542ec5fb6e07b60a090faa2d52": "CVE-2021-30487: Prevent admins from moving topics to disallowed streams.\n\nA bug in the implementation of the topic moving API resulted in\norganization administrators being able to move messages to streams\nin other organization hosted by the same Zulip installation." + }, + "CVE-2021-30479": { + "140655d69e1dd7fa6c6a242a19740106d18ebdf5": "CVE-2021-30479: Prevent guest user access to all_public_streams API.\n\nA bug in the implementation of the all_public_streams API feature\nresulted in guest users being able to receive message traffic to public\nstreams that should have been only accessible to members of the\norganization.", + "3215f70f4cd1876078a67001996451f2d16bb609": "CVE-2021-30479: Prevent guest user access to all_public_streams API.\n\nA bug in the implementation of the all_public_streams API feature\nresulted in guest users being able to receive message traffic to public\nstreams that should have been only accessible to members of the\norganization." + }, + "CVE-2021-30478": { + "6e11754642a59d83d7a575b78e6c3e988d3b6c93": "CVE-2021-30478: Prevent API super users from forging messages to other organizations.\n\nA bug in the implementation of the can_forge_sender permission\n(previously is_api_super_user) resulted in users with this permission\nbeing able to send messages appearing as if sent by a system bots,\nincluding to other organizations hosted by the same Zulip installation.\n\n- The send message API had a bug allowing an api super user to\n use forging to send messages to other realms' streams, as a\n cross-realm bot. We fix this most directly by eliminating the\n realm_str parameter - it is not necessary for any valid current use\n case. The email gateway doesn't use this API despite the comment in\n that block suggesting otherwise.\n- The conditionals inside access_stream_for_send_message are changed up\n to improve security. They were generally not ordered very well,\n allowing the function to successfully return due to very weak\n acceptance conditions - skipping the higher importance checks that\n should lead to raising an error.\n- The query count in test_subs is decreased because\n access_stream_for_send_message returns earlier when doing its check\n for a cross-realm bot sender - some subscription checking queries are\n skipped.\n- A linkifier test in test_message_dict needs to be changed. It didn't\n make much sense in the first place, because it was creating a message\n by a normal user, to a stream outside of the user's realm. That\n shouldn't even be allowed.", + "a771f4ef22a1e53988a35d166bf5cb30e5891775": "CVE-2021-30478: Prevent API super users from forging messages to other organizations.\n\nA bug in the implementation of the can_forge_sender permission\n(previously is_api_super_user) resulted in users with this permission\nbeing able to send messages appearing as if sent by a system bots,\nincluding to other organizations hosted by the same Zulip installation.\n\n- The send message API had a bug allowing an api super user to\n use forging to send messages to other realms' streams, as a\n cross-realm bot. We fix this most directly by eliminating the\n realm_str parameter - it is not necessary for any valid current use\n case. The email gateway doesn't use this API despite the comment in\n that block suggesting otherwise.\n- The conditionals inside access_stream_for_send_message are changed up\n to improve security. They were generally not ordered very well,\n allowing the function to successfully return due to very weak\n acceptance conditions - skipping the higher importance checks that\n should lead to raising an error.\n- The query count in test_subs is decreased because\n access_stream_for_send_message returns earlier when doing its check\n for a cross-realm bot sender - some subscription checking queries are\n skipped.\n- A linkifier test in test_message_dict needs to be changed. It didn't\n make much sense in the first place, because it was creating a message\n by a normal user, to a stream outside of the user's realm. That\n shouldn't even be allowed." + }, + "CVE-2021-30477": { + "4235be759db5e0678ceac88ec19f2b8f8482214a": "CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.\n\nA bug in the implementation of replies to messages sent by outgoing\nwebhooks to private streams meant that an outgoing webhook bot could be\nused to send messages to private streams that the user was not intended\nto be able to send messages to.\n\nCompletely skipping stream access check in check_message whenever the\nsender is an outgoing webhook bot is insecure, as it might allow someone\nwith access to the bot's API key to send arbitrary messages to all\nstreams in the organization. The check is only meant to be bypassed in\nsend_response_message, where the stream message is only being sent\nbecause someone mentioned the bot in that stream (and thus the bot\nposting there is the desired outcome). We get much better control over\nwhat's going by passing an explicit argument to check_message when\nskipping the access check is desirable.", + "ba403e0bffa6899c5527f139ef03e7ea5c829087": "CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream.\n\nA bug in the implementation of replies to messages sent by outgoing\nwebhooks to private streams meant that an outgoing webhook bot could be\nused to send messages to private streams that the user was not intended\nto be able to send messages to.\n\nCompletely skipping stream access check in check_message whenever the\nsender is an outgoing webhook bot is insecure, as it might allow someone\nwith access to the bot's API key to send arbitrary messages to all\nstreams in the organization. The check is only meant to be bypassed in\nsend_response_message, where the stream message is only being sent\nbecause someone mentioned the bot in that stream (and thus the bot\nposting there is the desired outcome). We get much better control over\nwhat's going by passing an explicit argument to check_message when\nskipping the access check is desirable." + }, + "CVE-2020-15070": { + "47913fb091794830c54eac2927e26bce92cfced1": "CVE-2020-15070: Replace eval with ast.literal_eval.\n\nThis eval function performs the inverse of the implicit\nstringification that\u2019s implied by this type-incorrect assignment in\ndo_update_user_custom_profile_data_if_changed:\n\nfield_value.value = field['value']\n\nWe believe there\u2019s sufficient validation for the data being passed to\nthis eval that it could only have been exploited by a PostgreSQL\nadministrator editing the database manually.\n\nSigned-off-by: Anders Kaseorg ", + "bd55825ab86557458a1dbbfbdb02e36a0e66ac4d": "CVE-2020-15070: Replace eval with ast.literal_eval.\n\nThis eval function performs the inverse of the implicit\nstringification that\u2019s implied by this type-incorrect assignment in\ndo_update_user_custom_profile_data_if_changed:\n\nfield_value.value = field['value']\n\nWe believe there\u2019s sufficient validation for the data being passed to\nthis eval that it could only have been exploited by a PostgreSQL\nadministrator editing the database manually.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2020-14194": { + "a2767e8c50063a9ef308a9526bb732e638c3480d": "CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.", + "6d0c39fd7e9db860b47585d87b8072d6117b197f": "CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase." + }, + "CVE-2020-9444": { + "a2767e8c50063a9ef308a9526bb732e638c3480d": "CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.", + "6d0c39fd7e9db860b47585d87b8072d6117b197f": "CVE-2020-14194: Use noopener/noreferrer for external links.\n\nWe fixed the main issue of this form in CVE-2020-9444, but the audit\ndone at that time only included links found in rendered_markdown; this\nchange completes our audit for links with target=_blank anywhere in\nthe codebase.", + "68cfcd6446bc44eda37456f0d788235f39c3af9e": "CVE-2020-9444: Prevent reverse tabnabbing attacks.\n\nWhile we could fix this issue by changing the markdown processor,\ndoing so is not a robust solution, because even a momentary bug in the\nmarkdown processor could allow cached messages that do not follow our\nsecurity policy.\n\nThis change ensures that even if our markdown processor has bugs that\nresult in rendered content that does not properly follow our policy of\nusing rel=\"noopener noreferrer\" on links, we'll still do something\nreasonable.\n\nCo-authored-by: Tim Abbott \nSigned-off-by: Anders Kaseorg ", + "c9796ba7f7632bf06d3391c3bfde27304b6ae12a": "CVE-2020-9444: Prevent reverse tabnabbing attacks.\n\nWhile we could fix this issue by changing the markdown processor,\ndoing so is not a robust solution, because even a momentary bug in the\nmarkdown processor could allow cached messages that do not follow our\nsecurity policy.\n\nThis change ensures that even if our markdown processor has bugs that\nresult in rendered content that does not properly follow our policy of\nusing rel=\"noopener noreferrer\" on links, we'll still do something\nreasonable.\n\nCo-authored-by: Tim Abbott \nSigned-off-by: Anders Kaseorg " + }, + "CVE-2020-14215": { + "9f4905d7e3f42002209d8ce46435d3b9447de588": "CVE-2020-14215: Add migration to clear INVITED_AS_REALM_ADMIN.\n\nThis migration fixes any PreregistrationUser objects that might have\nbeen already corrupted to have the administrator role by the buggy\noriginal version of migration 0198_preregistrationuser_invited_as.\n\nSince invitations that create new users as administrators are rare, it\nis cleaner to just remove the role from all PreregistrationUser\nobjects than to filter for just those older invitation objects that\ncould have been corrupted by the original migration.", + "3f55bfc53b911b309b254849a1fb75671e9e5b58": "CVE-2020-14215: Fix migration 0198_preregistrationuser_invited_as.\n\nThis migration incorrectly swapped the role associated with invitation\nobjects between members and organization administrators, resulting in\nmost invitation objects that existed before the upgrade to Zulip\n2.0.0-rc1 or later to be incorrectly administrator invitations.\n\nFixing the migration is safe and will help those installations\nupgrading directly from 1.9.x to 2.1.5 or later.\n\nA migration to fix the corrupted records will appear in an upcoming\ncommit.", + "8d2d64c10006801b35f287e92e69da01d0b447cd": "CVE-2020-14215: Fix validation in PreregistrationUser queries.\n\nThe most import change here is the one in maybe_send_to_registration\ncodepath, as the insufficient validation there could lead to fetching\nan expired PreregistrationUser that was invited as an administrator\nadmin even years ago, leading to this registration ending up in the\nnew user being a realm administrator.\n\nCombined with the buggy migration in\n0198_preregistrationuser_invited_as.py, this led to users incorrectly\njoining as organizations administrators by accident. But even without\nthat bug, this issue could have allowed a user who was invited as an\nadministrator but then had that invitation expire and then joined via\nsocial authentication incorrectly join as an organization administrator.\n\nThe second change is in ConfirmationEmailWorker, where this wasn't a\nsecurity problem, but if the server was stopped for long enough, with\nsome invites to send out email for in the queue, then after starting it\nup again, the queue worker would send out emails for invites that\nhad already expired.", + "c21c8dcd95fa87221a6d818550fd76e7e770cf2e": "CVE-2020-14215: Add migration to clear INVITED_AS_REALM_ADMIN.\n\nThis migration fixes any PreregistrationUser objects that might have\nbeen already corrupted to have the administrator role by the buggy\noriginal version of migration 0198_preregistrationuser_invited_as.\n\nSince invitations that create new users as administrators are rare, it\nis cleaner to just remove the role from all PreregistrationUser\nobjects than to filter for just those older invitation objects that\ncould have been corrupted by the original migration.", + "82d2960ad1d15d4f50f7ec4e684845371d7681d1": "CVE-2020-14215: Fix migration 0198_preregistrationuser_invited_as.\n\nThis migration incorrectly swapped the role associated with invitation\nobjects between members and organization administrators, resulting in\nmost invitation objects that existed before the upgrade to Zulip\n2.0.0-rc1 or later to be incorrectly administrator invitations.\n\nFixing the migration is safe and will help those installations\nupgrading directly from 1.9.x to 2.1.5 or later.\n\nA migration to fix the corrupted records will appear in an upcoming\ncommit.", + "fa07539016754200890df9fa791d9d0ea3e31c6b": "CVE-2020-14215: Fix validation in PreregistrationUser queries.\n\nThe most import change here is the one in maybe_send_to_registration\ncodepath, as the insufficient validation there could lead to fetching\nan expired PreregistrationUser that was invited as an administrator\nadmin even years ago, leading to this registration ending up in the\nnew user being a realm administrator.\n\nCombined with the buggy migration in\n0198_preregistrationuser_invited_as.py, this led to users incorrectly\njoining as organizations administrators by accident. But even without\nthat bug, this issue could have allowed a user who was invited as an\nadministrator but then had that invitation expire and then joined via\nsocial authentication incorrectly join as an organization administrator.\n\nThe second change is in ConfirmationEmailWorker, where this wasn't a\nsecurity problem, but if the server was stopped for long enough, with\nsome invites to send out email for in the queue, then after starting it\nup again, the queue worker would send out emails for invites that\nhad already expired.\n\nBackported to the 2.1.x series by tabbott." + }, + "CVE-2020-12759": { + "83380b42969a4a42f3a90d3be00bf39e6d6f6e23": "CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.\n\nAlso check the challenge argument\u2019s presence before using it.\n\nSigned-off-by: Anders Kaseorg ", + "87f7874a79abe5be70a7a67258da957c4efe0bda": "CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.\n\nAlso check the challenge argument\u2019s presence before using it.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2020-10935": { + "2d4530854673d78d2212ec91523135452dbd75fb": "CVE-2020-10935: Fix XSS vulnerability in local link rewriting.\n\nMake sure rewrite_local_links_to_relative does not accidentally change\nthe meaning of links.\n\nSigned-off-by: Anders Kaseorg ", + "64856d858e2afcc028d368d58c442757ac28ee51": "CVE-2020-10935: Fix XSS vulnerability in local link rewriting.\n\nMake sure rewrite_local_links_to_relative does not accidentally change\nthe meaning of links.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2020-9445": { + "e3a4aeeffa17d6e001586d11f8c714f9c690e1b1": "CVE-2020-9445: Remove unused and insecure modal_link feature.\n\nZulip's modal_link markdown feature has not been used since 2017; it\nwas a hack used for a 2013-era tutorial feature and was never used\noutside that use case.\n\nUnfortunately, it's sloppy implementation was exposed in the markdown\nprocessor for all users, not just the tutorial use case.\n\nMore importantly, it was buggy, in that it did not validate the link\nusing the standard validation approach used by our other code\ninteracting with links.\n\nThe right solution is simply to remove it.", + "b21117954d439472cd57d663f9b886ab873a24ec": "CVE-2020-9445: Remove unused and insecure modal_link feature.\n\nZulip's modal_link markdown feature has not been used since 2017; it\nwas a hack used for a 2013-era tutorial feature and was never used\noutside that use case.\n\nUnfortunately, it's sloppy implementation was exposed in the markdown\nprocessor for all users, not just the tutorial use case.\n\nMore importantly, it was buggy, in that it did not validate the link\nusing the standard validation approach used by our other code\ninteracting with links.\n\nThe right solution is simply to remove it." + }, + "CVE-2019-19775": { + "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb": "thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg ", + "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44": "thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg ", + "8e37862b693799e69a4bb690cb36d98d0b6c8790": "CVE-2019-19775: Close open redirect in thumbnail view.\n\nThis closes an open redirect vulnerability, one case of which was\nfound by Graham Bleaney and Ibrahim Mohamed using Pysa.\n\nSigned-off-by: Anders Kaseorg ", + "b7c87a4d82397a5e6ac169b6098bed0b1ae7a583": "CVE-2019-19775: Close open redirect in thumbnail view.\n\nThis closes an open redirect vulnerability, one case of which was\nfound by Graham Bleaney and Ibrahim Mohamed using Pysa.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2015-2104": { + "319e2231b8db60100a70d8fc0fbc1e5621d8d0cb": "thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg ", + "87d60a1fff48dd4997e5e281fd7cc9ad2896ed44": "thumbnail: Tighten fix for CVE-2019-19775 open redirect.\n\nDue to a known but unfixed bug in the Python standard library\u2019s\nurllib.parse module (CVE-2015-2104), a crafted URL could bypass the\nvalidation in the previous patch and still achieve an open redirect.\n\nhttps://bugs.python.org/issue23505\n\nSwitch to using django.utils.http.is_safe_url, which already contains\na workaround for this bug.\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2019-18933": { + "0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6": "CVE-2019-18933: Fix insecure account creation via social authentication.\n\nA bug in Zulip's new user signup process meant that users who\nregistered their account using social authentication (e.g. GitHub or\nGoogle SSO) in an organization that also allows password\nauthentication could have their personal API key stolen by an\nunprivileged attacker, allowing nearly full access to the user's\naccount.\n\nZulip versions between 1.7.0 and 2.0.6 were affected.\n\nThis commit fixes the original bug and also contains a database\nmigration to fix any users with corrupt `password` fields in the\ndatabase as a result of the bug.\n\nOut of an abundance of caution (and to protect the users of any\ninstallations that delay applying this commit), the migration also\nresets the API keys of any users where Zulip's logs cannot prove the\nuser's API key was not previously stolen via this bug. Resetting\nthose API keys will be inconvenient for users:\n\n* Users of the Zulip mobile and terminal apps whose API keys are reset\n will be logged out and need to login again.\n* Users using their personal API keys for any other reason will need\n to re-fetch their personal API key.\n\nWe discovered this bug internally and don't believe it was disclosed\nprior to our publishing it through this commit. Because the algorithm\nfor determining which users might have been affected is very\nconservative, many users who were never at risk will have their API\nkeys reset by this migration.\n\nTo avoid this on self-hosted installations that have always used\ne.g. LDAP authentication, we skip resetting API keys on installations\nthat don't have password authentication enabled. System\nadministrators on installations that used to have email authentication\nenabled, but no longer do, should temporarily enable EmailAuthBackend\nbefore applying this migration.\n\nThe migration also records which users had their passwords or API keys\nreset in the usual RealmAuditLog table.", + "1cdec46aa95dc4b9ea75e9092ef0cfb98809672f": "CVE-2019-18933: Fix insecure account creation via social authentication.\n\nBackported for 2.0.7 security release.\n\nA bug in Zulip's new user signup process meant that users who\nregistered their account using social authentication (e.g. GitHub or\nGoogle SSO) in an organization that also allows password\nauthentication could have their personal API key stolen by an\nunprivileged attacker, allowing nearly full access to the user's\naccount.\n\nZulip versions between 1.7.0 and 2.0.6 were affected.\n\nThis commit fixes the original bug and also contains a database\nmigration to fix any users with corrupt `password` fields in the\ndatabase as a result of the bug.\n\nOut of an abundance of caution (and to protect the users of any\ninstallations that delay applying this commit), the migration also\nresets the API keys of any users where Zulip's logs cannot prove the\nuser's API key was not previously stolen via this bug. Resetting\nthose API keys will be inconvenient for users:\n\n* Users of the Zulip mobile and terminal apps whose API keys are reset\n will be logged out and need to login again.\n* Users using their personal API keys for any other reason will need\n to re-fetch their personal API key.\n\nWe discovered this bug internally and don't believe it was disclosed\nprior to our publishing it through this commit. Because the algorithm\nfor determining which users might have been affected is very\nconservative, many users who were never at risk will have their API\nkeys reset by this migration.\n\nTo avoid this on self-hosted installations that have always used\ne.g. LDAP authentication, we skip resetting API keys on installations\nthat don't have password authentication enabled. System\nadministrators on installations that used to have email authentication\nenabled, but no longer do, should temporarily enable EmailAuthBackend\nbefore applying this migration.\n\nThe migration also records which users had their passwords or API keys\nreset in the usual RealmAuditLog table." + }, + "CVE-2019-16215": { + "5797f013b3be450c146a4141514bda525f2f1b51": "CVE-2019-16215: Fix DoS vulnerability in Markdown LINK_RE.\n\nAny regex including a match-everything subpattern (.*, .*?, .+, or\n.+?) is almost automatically wrong because it fails to disambiguate\nwhen one subpattern should end and another should begin. Among other\nbugs, these kind of regexes tend to be especially prone to denial of\nservice vulnerabilities through catastrophic backtracking on strings\nthat fail to match in a large (in this case, exponential) number of\nways.\n\nLacking a specification to say what characters should actually be\nallowed in these subpatterns (this syntax is too different from\nCommonMark to be able to precisely apply those rules), I\u2019ve tried to\nmake reasonable guesses and avoid changing much else.\n\nBecause Zulip doesn't store messages until they have successfully been\nprocessed by the Markdown processor, this is not a stored DoS issue.\n\nIn general, Zulip protects against the broad category of DoS issues in\nMarkdown rendering via a timeout managed by another thread. However,\ndetails of Python's regular expression implementation mean that this\nparticular issue could prevent the timeout thread from being\nscheduled, resulting in this being a DoS issue.\n\nThis was fixed in master a few months ago as a side effect of\nabe2dab88ca96786bb32dea6caab873819b8c482 (#12979).\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2019-16216": { + "1195841dfb9aa26b3b0dabc6f05d72e4af25be3e": "CVE-2019-16216: Fix MIME type validation.\n\n* Whitelist a small number of image/ types to be served as\n non-attachments.\n* Serve the file using the type that we validated rather than relying\n on an independent guess to match.\n\nThis issue can lead to a stored XSS security vulnerability for older\nbrowsers that don't support Content-Security-Policy.\n\nIt primarily affects servers using Zulip's local file uploads backend\nfor servers running Ubuntu 16.04 Xenial or newer; the legacy local\nfile upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected\nand it has limited impact for the S3 upload backend (which uses an\nunprivileged S3 bucket domain to serve files).\n\nThis was fixed in master via 780ecb672b9324ba879056240089e14539cda6e4.\n\nSigned-off-by: Anders Kaseorg ", + "780ecb672b9324ba879056240089e14539cda6e4": "CVE-2019-16216: Fix MIME type validation.\n\n* Whitelist a small number of image/ types to be served as\n non-attachments.\n* Serve the file using the type that we validated rather than relying\n on an independent guess to match.\n\nThis issue can lead to a stored XSS security vulnerability for older\nbrowsers that don't support Content-Security-Policy.\n\nIt primarily affects servers using Zulip's local file uploads backend\nfor servers running Ubuntu 16.04 Xenial or newer; the legacy local\nfile upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected\nand it has limited impact for the S3 upload backend (which uses an\nunprivileged S3 bucket domain to serve files).\n\nSigned-off-by: Anders Kaseorg " + }, + "CVE-2018-9990": { + "65b9d9e0f32fbaad722435726ec3b4afae14f8a7": "CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\n\nZulip's search typeahead had a security bug, where when autocompleting\na specially crafted stream name, and then hitting space, code within\nthe stream name would be executed.\n\nZulip was doing HTML escaping correctly in the main code path using\nFilter.describe to describe a narrow, but the escaping function was\nnot called in a few parallel code paths. We fix this in a way that\nshould protect all of these code paths, by making Filter.describe\nreturn properly escaped HTML, rather than depending on its callers to\ndo so.\n\nThanks to w2w for reporting this issue.", + "ba528f9345a7c2891a0cbc52a8e103661fc2a870": "CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\n\nZulip's search typeahead had a security bug, where when autocompleting\na specially crafted stream name, and then hitting space, code within\nthe stream name would be executed.\n\nZulip was doing HTML escaping correctly in the main code path using\nFilter.describe to describe a narrow, but the escaping function was\nnot called in a few parallel code paths. We fix this in a way that\nshould protect all of these code paths, by making Filter.describe\nreturn properly escaped HTML, rather than depending on its callers to\ndo so.\n\nThanks to w2w for reporting this issue." + }, + "CVE-2018-9986": { + "3bdc8bbaa51ced2c241da6107ec8b3604ebb2853": "CVE-2018-9986: Fix XSS issues with frontend markdown processor.\n\nThis fixes a set of XSS issues with Zulip's frontend markdown\nprocessor, which is used in a limited set of contexts, such as local\necho of messages and the drafts feature.\n\nThe implementation of several syntax elements, including the \nsyntax, user and stream mentions, and some others failed to properly\nescape the content inside the syntax.\n\nFix this, and add tests for each corrected code path.\n\nThanks to w2w for reporting this issue.", + "4192276aa3f07d75143583441bbea448fbf38c13": "CVE-2018-9986: Fix XSS issues with frontend markdown processor.\n\nThis fixes a set of XSS issues with Zulip's frontend markdown\nprocessor, which is used in a limited set of contexts, such as local\necho of messages and the drafts feature.\n\nThe implementation of several syntax elements, including the \nsyntax, user and stream mentions, and some others failed to properly\nescape the content inside the syntax.\n\nFix this, and add tests for each corrected code path.\n\nThanks to w2w for reporting this issue." + }, + "CVE-2018-9987": { + "1207a08b36c7696397855ef7fd6ae6cff2c8c4be": "CVE-2018-9987: Fix XSS issue with muting notifications.\n\nThis fixes an XSS issue with Zulip's muting UI, where if a stream or\ntopic name contained malicious HTML containing JavaScript, and the\nuser did a muting interaction, the malicious JavaScript could run when\nrendering the \"you just muted a topic\" notification.\n\nWe did an audit for similarly problematic use of `.html`, and found\nnone; for the next release we'll be merging a series of changes to our\nlinter to prevent future instances of this being added.\n\nThanks to Suhas Sunil Gaikwad for reporting this issue.", + "f055a7d133ed6a4060485b4abea295210fbe1af0": "CVE-2018-9987: Fix XSS issue with muting notifications.\n\nThis fixes an XSS issue with Zulip's muting UI, where if a stream or\ntopic name contained malicious HTML containing JavaScript, and the\nuser did a muting interaction, the malicious JavaScript could run when\nrendering the \"you just muted a topic\" notification.\n\nWe did an audit for similarly problematic use of `.html`, and found\nnone; for the next release we'll be merging a series of changes to our\nlinter to prevent future instances of this being added.\n\nThanks to Suhas Sunil Gaikwad for reporting this issue." + }, + "CVE-2018-9999": { + "8813c7b542497935018ed9efc897b12b49faf189": "CVE-2018-9999: Fix XSS issue with user uploads.\n\nThis adds a basic Content-Security-Policy for user-uploaded files\nserved by the LOCAL_UPLOADS backend.\n\nThe local uploads backend is designed to share a domain with the main\nZulip site, and thus without this fix, it can be used for XSS attacks\nwith access to the user's Zulip cookies." + }, + "CVE-2017-0910": { + "d4ee3023b2fbc8af9a220df130097e9497dad5b5": "registration: Require an explicit realm on PreregistrationUser.\n\nThis completes the last commit's work to fix CVE-2017-0910, applying\nto any invite links already created before the fix was deployed. With\nthis change, all new-user registrations must match an explicit realm\nin the PreregistrationUser row, except when creating a new realm.\n\n[greg: rewrote commit message]", + "985768b2fdcf4c1e7228951baab7c25239c6a7f6": "registration: Check realm against PreregistrationUser realm.\n\nWe would allow a user with a valid invitation for one realm to use it\non a different realm instead. On a server with multiple realms, an\nauthorized user of one realm could use this (by sending invites to\nother email addresses they control) to create accounts on other\nrealms. (CVE-2017-0910)\n\nWith this commit, when sending an invitation, we record the inviting\nuser's realm on the PreregistrationUser row; and when registering a\nuser, we check that the PregistrationUser realm matches the realm the\nuser is trying to register on. This resolves CVE-2017-0910 for\nnewly-sent invitations; the next commit completes the fix.\n\n[greg: rewrote commit message]", + "960d736e55cbb9386a68e4ee45f80581fd2a4e32": "registration: Require an explicit realm on PreregistrationUser.\n\nThis completes the last commit's work to fix CVE-2017-0910, applying\nto any invite links already created before the fix was deployed. With\nthis change, all new-user registrations must match an explicit realm\nin the PreregistrationUser row, except when creating a new realm.\n\n[greg: rewrote commit message]", + "28a3dcf787b489d155bd27765f1aed5e7a1f44a9": "registration: Check realm against PreregistrationUser realm.\n\nWe would allow a user with a valid invitation for one realm to use it\non a different realm instead. On a server with multiple realms, an\nauthorized user of one realm could use this (by sending invites to\nother email addresses they control) to create accounts on other\nrealms. (CVE-2017-0910)\n\nWith this commit, when sending an invitation, we record the inviting\nuser's realm on the PreregistrationUser row; and when registering a\nuser, we check that the PregistrationUser realm matches the realm the\nuser is trying to register on. This resolves CVE-2017-0910 for\nnewly-sent invitations; the next commit completes the fix.\n\n[greg: rewrote commit message]" + }, + "CVE-2017-0896": { + "1f48fa27672170bba3b9a97384905bb04c18761b": "invite: Fix invite_by_admins_only to be enforced in backend.\n\nThis is CVE-2017-0896.\n\nApparently, this setting never actually was wired up to anything other\nthan hiding the UI widget.\n\nHuge thanks to Ibram Marzouk from the HackerOne community for finding\nthis security bug." + }, + "CVE-2017-0881": { + "0af34ee71078633dcb960995f4adfd3f7293c1f3": "streams: Add zerver/lib/streams.py library for security checks.\n\nThe goal of this library is to make it a lot easier to prevent bugs\nlike CVE-2017-0881 by having all of our views logic for fetching a\nstream go through a couple carefully tested code paths.", + "7ecda1ac8e26d8fb3725e954b2dc4723dda2255f": "streams: Fix autosubscribe security bug (CVE-2017-0881).\n\nA bug in Zulip's implementation of the \"stream exists\" endpoint meant\nthat any user of a Zulip server could subscribe to an invite-only\nstream without needing to be invited by using the \"autosubscribe\"\nargument.\n\nThanks to Rafid Aslam for discovering this issue.", + "1cdd451d703a9c1b0a395d81dacadbf5c4d85277": "streams: Fix autosubscribe security bug (CVE-2017-0881).\n\nA bug in Zulip's implementation of the \"stream exists\" endpoint meant\nthat any user of a Zulip server could subscribe to an invite-only\nstream without needing to be invited by using the \"autosubscribe\"\nargument.\n\nThanks to Rafid Aslam for discovering this issue." + }, + "CVE-2016-4427": { + "b28b3cd65cae038d09732db9a3697f520818168e": "CVE-2016-4427: Fix access by deactivated realms/users.\n\nThe security model for deactivated users (and users in deactivated\nrealms) being unable to access the service is intended to work via two\nmechanisms:\n\n* All active user sessions are deleted, and all login code paths\n (where a user could get a new session) check whether the user (or\n realm) is inactive before authorizing the request, preventing the\n user from accessing the website and AJAX endpoints.\n* All API code paths (which don't require a session) check whether the\n user (and realm) are active.\n\nHowever, this security model was not implemented correctly. In\nparticular, the check for whether a user has an active account in the\nlogin process was done inside the login form's validators, which meant\nthat authentication mechanisms that did not use the login form\n(e.g. Google and REMOTE_USER auth) could succeed in granting a session\neven with an inactive account. The Zulip homepage would still fail to\nload because the code for / includes an API call to Tornado authorized\nby the user's token that would fail, but this mechanism could allow an\ninactive user to access realm data or users to access data in a\ndeactivated realm.\n\nThis fixes the issue by adding explicit checks for inactive users and\ninactive realms in all authentication backends (even those that were\nalready protected by the login form validator).\n\nMirror dummy users are already inactive, so we can remove the explicit\ncode around mirror dummy users.\n\nThe following commits add a complete set of tests for Zulip's inactive\nuser and realm security model." + }, + "CVE-2016-4426": { + "07fc47f95344852658d65b63316be0123ac48416": "CVE-2016-4426: Fix non-admin users having access to all bot API keys.\n\nLong ago, there was work on an experimental integration model where\nevery user in a realm would have administrative control over all bots,\nwith the goal of simplifying the process of setting up communally\nadministered bots for smaller teams. While that new model was never\nfully implemented (and thus never setup as an option), an error in\nthat original implementation meant that the data on all bots in a\nrealm, including their API keys, was sent to the browsers of users via\nthe `realm_bots` variable in `page_params`. The data wasn't displayed\nin the UI for non-admin users, but was available via e.g. the\njavascript console.\n\nThis commit updates this behavior to only send sensitive bot data like\nAPI keys to the owner of the bot (and realm admins).\n\nWe may in the future implement a model simplifying communally\nadministered integrations, but if we do that, those bots should be\nlimited in their capabilities (e.g. only able to send webhook\nmessages).\n\nThis bug has been present since Zulip was released as open source." + } + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/vcs_collector/pr_issues_test_repo.json b/vulnerabilities/tests/test_data/vcs_collector/pr_issues_test_repo.json new file mode 100644 index 000000000..d44bf24e0 --- /dev/null +++ b/vulnerabilities/tests/test_data/vcs_collector/pr_issues_test_repo.json @@ -0,0 +1,548 @@ +{ + "vcs_url": "https://github.com/nodejs/node", + "vulnerabilities": { + "CVE-2024-21538": { + "Issues": [ + "https://github.com/nodejs/node/issues/58242" + ], + "PRs": [] + }, + "CVE-2025-59466": { + "Issues": [ + "https://github.com/nodejs/node/issues/62125" + ], + "PRs": [] + }, + "CVE-2025-15467": { + "Issues": [ + "https://github.com/nodejs/node/issues/61887", + "https://github.com/nodejs/node/issues/61755" + ], + "PRs": [] + }, + "CVE-2025-64756": { + "Issues": [ + "https://github.com/nodejs/node/issues/61085", + "https://github.com/nodejs/node/issues/60792" + ], + "PRs": [] + }, + "CVE-2025-9230": { + "Issues": [ + "https://github.com/nodejs/node/issues/60193" + ], + "PRs": [] + }, + "CVE-2025-5889": { + "Issues": [ + "https://github.com/nodejs/node/issues/59253" + ], + "PRs": [] + }, + "CVE-2023-46809": { + "Issues": [ + "https://github.com/nodejs/node/issues/55628", + "https://github.com/nodejs/node/issues/52196" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/55629" + ] + }, + "CVE-2024-13176": { + "Issues": [ + "https://github.com/nodejs/node/issues/59548" + ], + "PRs": [] + }, + "CVE-2023-39331": { + "Issues": [ + "https://github.com/nodejs/node/issues/50469" + ], + "PRs": [] + }, + "CVE-2024-28863": { + "Issues": [ + "https://github.com/nodejs/node/issues/53214" + ], + "PRs": [] + }, + "CVE-2019-13050": { + "Issues": [ + "https://github.com/nodejs/node/issues/29531" + ], + "PRs": [] + }, + "CVE-2023-44487": { + "Issues": [ + "https://github.com/nodejs/node/issues/50342", + "https://github.com/nodejs/node/issues/51074" + ], + "PRs": [] + }, + "CVE-2022-25883": { + "Issues": [ + "https://github.com/nodejs/node/issues/48835" + ], + "PRs": [] + }, + "CVE-2022-32215": { + "Issues": [ + "https://github.com/nodejs/node/issues/43946", + "https://github.com/nodejs/node/issues/43893" + ], + "PRs": [] + }, + "CVE-2023-0464": { + "Issues": [ + "https://github.com/nodejs/node/issues/47443" + ], + "PRs": [] + }, + "CVE-2022-38900": { + "Issues": [ + "https://github.com/nodejs/node/issues/46026" + ], + "PRs": [] + }, + "CVE-2022-25881": { + "Issues": [ + "https://github.com/nodejs/node/issues/46555" + ], + "PRs": [] + }, + "CVE-2016-7055": { + "Issues": [ + "https://github.com/nodejs/node/issues/12691", + "https://github.com/nodejs/node/issues/9594" + ], + "PRs": [] + }, + "CVE-2021-3807": { + "Issues": [ + "https://github.com/nodejs/node/issues/41039", + "https://github.com/nodejs/node/issues/40853" + ], + "PRs": [] + }, + "CVE-2021-44906": { + "Issues": [ + "https://github.com/nodejs/node/issues/42451" + ], + "PRs": [] + }, + "CVE-2022-21824": { + "Issues": [ + "https://github.com/nodejs/node/issues/42282" + ], + "PRs": [] + }, + "CVE-2022-0778": { + "Issues": [ + "https://github.com/nodejs/node/issues/42441" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/42385", + "https://github.com/nodejs/node/pull/42363", + "https://github.com/nodejs/node/pull/42381", + "https://github.com/nodejs/node/pull/42371" + ] + }, + "CVE-2021-22930": { + "Issues": [ + "https://github.com/nodejs/node/issues/40306" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/39500", + "https://github.com/nodejs/node/pull/39534", + "https://github.com/nodejs/node/pull/39466" + ] + }, + "CVE-2021-44228": { + "Issues": [ + "https://github.com/nodejs/node/issues/41191" + ], + "PRs": [] + }, + "CVE-2021-3672": { + "Issues": [ + "https://github.com/nodejs/node/issues/40231" + ], + "PRs": [] + }, + "CVE-2018-7159": { + "Issues": [ + "https://github.com/nodejs/node/issues/25514" + ], + "PRs": [] + }, + "CVE-2020-7598": { + "Issues": [ + "https://github.com/nodejs/node/issues/32296" + ], + "PRs": [] + }, + "CVE-2018-12121": { + "Issues": [ + "https://github.com/nodejs/node/issues/24692", + "https://github.com/nodejs/node/issues/24990" + ], + "PRs": [] + }, + "CVE-2018-0735": { + "Issues": [ + "https://github.com/nodejs/node/issues/24370" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/23950" + ] + }, + "CVE-2018-12122": { + "Issues": [ + "https://github.com/nodejs/node/issues/24760" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/24803" + ] + }, + "CVE-2018-6341": { + "Issues": [ + "https://github.com/nodejs/node/issues/24735" + ], + "PRs": [] + }, + "CVE-2018-0732": { + "Issues": [ + "https://github.com/nodejs/node/issues/22187" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/21344", + "https://github.com/nodejs/node/pull/21343", + "https://github.com/nodejs/node/pull/21282", + "https://github.com/nodejs/node/pull/21400" + ] + }, + "CVE-2018-0737": { + "Issues": [ + "https://github.com/nodejs/node/issues/20090" + ], + "PRs": [] + }, + "CVE-2017-14919": { + "Issues": [ + "https://github.com/nodejs/node/issues/16547" + ], + "PRs": [] + }, + "CVE-2016-2216": { + "Issues": [ + "https://github.com/nodejs/node/issues/5754" + ], + "PRs": [] + }, + "CVE-2012-5568": { + "Issues": [ + "https://github.com/nodejs/node/issues/13449" + ], + "PRs": [] + }, + "CVE-2016-5180": { + "Issues": [ + "https://github.com/nodejs/node/issues/12532", + "https://github.com/nodejs/node/issues/11728" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/9037", + "https://github.com/nodejs/node/pull/8849", + "https://github.com/nodejs/node/pull/9153", + "https://github.com/nodejs/node/pull/9147", + "https://github.com/nodejs/node/pull/9154" + ] + }, + "CVE-2015-8027": { + "Issues": [ + "https://github.com/nodejs/node/issues/4029" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/4156", + "https://github.com/nodejs/node/pull/4155", + "https://github.com/nodejs/node/pull/4154" + ] + }, + "CVE-2015-7384": { + "Issues": [ + "https://github.com/nodejs/node/issues/3138" + ], + "PRs": [] + }, + "CVE-2015-1793": { + "Issues": [ + "https://github.com/nodejs/node/issues/2178" + ], + "PRs": [ + "https://github.com/nodejs/node/pull/2141" + ] + }, + "CVE-2026-1525": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/62250", + "https://github.com/nodejs/node/pull/62247" + ] + }, + "CVE-2025-59465": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/61661" + ] + }, + "CVE-2020-7774": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/37918" + ] + }, + "CVE-2025-23085": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/57644" + ] + }, + "CVE-2024-4947": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/54793", + "https://github.com/nodejs/node/pull/54795" + ] + }, + "CVE-2024-4761": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/54598", + "https://github.com/nodejs/node/pull/54597" + ] + }, + "CVE-2025-32955": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/58109" + ] + }, + "CVE-2024-27980": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/52543", + "https://github.com/nodejs/node/pull/52505" + ] + }, + "CVE-2023-3420": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/50077" + ] + }, + "CVE-2024-24806": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/51737", + "https://github.com/nodejs/node/pull/51702" + ] + }, + "CVE-2023-43804": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/51647" + ] + }, + "CVE-2022-23491": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/51613" + ] + }, + "CVE-2023-4807": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/49879" + ] + }, + "CVE-2023-45143": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/50153" + ] + }, + "CVE-2023-5363": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/50395" + ] + }, + "CVE-2022-32222": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/46150" + ] + }, + "CVE-2007-4559": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/44823" + ] + }, + "CVE-2021-33503": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/45570" + ] + }, + "CVE-2022-21449": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/42863" + ] + }, + "CVE-2021-22940": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/40308", + "https://github.com/nodejs/node/pull/40319" + ] + }, + "CVE-2019-9518": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/37875" + ] + }, + "CVE-2021-4044": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/41167" + ] + }, + "CVE-2019-9511": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/29133", + "https://github.com/nodejs/node/pull/29151", + "https://github.com/nodejs/node/pull/29148", + "https://github.com/nodejs/node/pull/29152", + "https://github.com/nodejs/node/pull/29150" + ] + }, + "CVE-2021-3450": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/38082", + "https://github.com/nodejs/node/pull/38085", + "https://github.com/nodejs/node/pull/38083", + "https://github.com/nodejs/node/pull/38084" + ] + }, + "CVE-2021-21148": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/37074" + ] + }, + "CVE-2019-9636": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/38631" + ] + }, + "CVE-2020-10531": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/33572" + ] + }, + "CVE-2019-1552": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/29455" + ] + }, + "CVE-2018-7166": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/27298" + ] + }, + "CVE-2018-0734": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/24353", + "https://github.com/nodejs/node/pull/23965" + ] + }, + "CVE-2016-8625": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/25679" + ] + }, + "CVE-2018-5407": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/24352" + ] + }, + "CVE-2017-1000381": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/19939", + "https://github.com/nodejs/node/pull/13897" + ] + }, + "CVE-2017-15896": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/17533", + "https://github.com/nodejs/node/pull/17534", + "https://github.com/nodejs/node/pull/17531", + "https://github.com/nodejs/node/pull/17532" + ] + }, + "CVE-2017-3737": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/17526" + ] + }, + "CVE-2016-7052": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/8790", + "https://github.com/nodejs/node/pull/8789", + "https://github.com/nodejs/node/pull/8786" + ] + }, + "CVE-2017-3736": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/16691" + ] + }, + "CVE-2017-3732": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/11021" + ] + }, + "CVE-2016-2107": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/6622", + "https://github.com/nodejs/node/pull/6621" + ] + }, + "CVE-2015-3194": { + "Issues": [], + "PRs": [ + "https://github.com/nodejs/node/pull/4133", + "https://github.com/nodejs/node/pull/4132" + ] + } + } +} \ No newline at end of file