Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 315297e71509 · 2026-04-03T04:06:02.000Z
GHSA-qcmw-8mm4-4p28 GHSA-qh3j-mrg8-f234
diff --git a/advisories/github-reviewed/2026/04/GHSA-qcmw-8mm4-4p28/GHSA-qcmw-8mm4-4p28.json b/advisories/github-reviewed/2026/04/GHSA-qcmw-8mm4-4p28/GHSA-qcmw-8mm4-4p28.json
@@ -0,0 +1,111 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qcmw-8mm4-4p28",
+  "modified": "2026-04-03T04:02:47Z",
+  "published": "2026-04-03T04:02:47Z",
+  "aliases": [
+    "CVE-2026-34992"
+  ],
+  "summary": "Antrea has Missing Encryption of Sensitive Data",
+  "details": "### Impact\nThis is a missing encryption vulnerability (CWE-311) affecting inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (`trafficEncryptionMode: ipsec`), Antrea fails to apply encryption for IPv6 Pod traffic.\n\nWhile the IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because the packets are encapsulated (using Geneve or VXLAN) but bypass the IPsec encryption layer.\n\nImpacted Users: users with dual-stack clusters and IPsec encryption enabled.\n\nSingle-stack IPv4 or IPv6 clusters are not affected.\n\n### Patches\nYes, the issue has been patched: https://github.com/antrea-io/antrea/pull/7759\nUsers should upgrade to one of the following versions:\n* Antrea v2.6.0 or later\n* Antrea v2.5.2\n* Antrea v2.4.5\n\nAntrea recommends running the `antctl check installation --run ipsec` tool after upgrading to verify that both address families are correctly producing ESP traffic.\n\n### Workarounds\nThere is no configuration workaround to enable IPsec IPv6 in affected versions. If an immediate upgrade is not possible, user may consider using WireGuard instead for inter-Node Pod traffic encryption. The WireGuard support in Antrea does *not* suffer from the same issue.\n\n### Resources\nPull Request with Fix: [antrea-io/antrea#7759](https://github.com/antrea-io/antrea/pull/7759)\nValidation Tool PR: [antrea-io/antrea#7757](https://github.com/antrea-io/antrea/pull/7757)\nAntrea Documentation: [Traffic Encryption Guide](https://github.com/antrea-io/antrea/blob/main/docs/traffic-encryption.md)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "antrea.io/antrea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.11.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.4.5"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "antrea.io/antrea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.5.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.5.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "antrea.io/antrea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.11.0-alpha.0.0.20260225185322-738bad662b20"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/antrea-io/antrea/security/advisories/GHSA-qcmw-8mm4-4p28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/antrea-io/antrea/pull/7757"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/antrea-io/antrea/pull/7759"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/antrea-io/antrea/commit/738bad662b20a5d358d19466936176ef580a9b07"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/antrea-io/antrea"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/antrea-io/antrea/blob/main/docs/traffic-encryption.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-311"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T04:02:47Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-qh3j-mrg8-f234/GHSA-qh3j-mrg8-f234.json b/advisories/github-reviewed/2026/04/GHSA-qh3j-mrg8-f234/GHSA-qh3j-mrg8-f234.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qh3j-mrg8-f234",
+  "modified": "2026-04-03T04:04:22Z",
+  "published": "2026-04-03T04:04:22Z",
+  "aliases": [
+    "CVE-2026-35038"
+  ],
+  "summary": "Signal K Server: Arbitrary Prototype Read via `from` Field Bypass",
+  "details": "## Summary \n\nThe /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /__proto__/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.\n\nWhile this does not allow arbitrary code execution (as the destination path remains protected from __proto__), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.\n\n## Vulnerability Root Cause \n\nFile: src/interfaces/applicationData.js (Lines 48-57)\n```\nconst DANGEROUS_PATH_SEGMENTS = ['__proto__', 'constructor', 'prototype']\n\nfunction isPrototypePollutionPath(pathString) {\n  const segments = pathString.split(/[./]/)\n  return segments.some((seg) => DANGEROUS_PATH_SEGMENTS.includes(seg))\n}\n\nfunction hasPrototypePollutionPatch(patches) {\n  return patches.some(\n    // [!VULNERABLE] Only checks patch.path, completely ignores patch.from\n    (patch) => patch.path && isPrototypePollutionPath(patch.path) \n  )\n}\n```\nAt Line 201:\n```\nif (hasPrototypePollutionPatch(req.body)) {\n  res.status(400).send('invalid patch path')\n  return\n}\njsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves 'from'\n\n```\n## Proof of Concept (PoC)\n\nVerify the Developer Guard Works (The Blocked Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d '[{\"op\": \"add\", \"path\": \"/__proto__/polluted\", \"value\": \"hacked\"}]'\n```\nResult: 400 Bad Request - invalid patch path\n\nExecute the Bypass (The Malicious Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d '[{\"op\": \"copy\", \"from\": \"/__proto__/toString\", \"path\": \"/stolen\"}]'\n```\nResult: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the __proto__ internal function reference.\n\n<img width=\"1222\" height=\"230\" alt=\"Screenshot 2026-03-24 150440\" src=\"https://github.com/user-attachments/assets/5ae580fd-284f-4bef-adc8-31b50b8751b6\" />\n\n## Security Impact\nThis vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.\n\n## Fixing Arbitrary Prototype Read\n\nThe hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:\n```\nfunction hasPrototypePollutionPatch(patches) {\n  return patches.some(\n    (patch) => \n      (patch.path && isPrototypePollutionPath(patch.path)) ||\n      (patch.from && isPrototypePollutionPath(patch.from))\n  )\n}\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "signalk-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.24.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35038"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/SignalK/signalk-server"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125",
+      "CWE-20",
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T04:04:22Z",
+    "nvd_published_at": "2026-04-02T17:16:27Z"
+  }
+}
