Skip to content

Commit 5f54c86

Browse files
1 parent c1bb71b commit 5f54c86

2 files changed

Lines changed: 84 additions & 2 deletions

File tree

advisories/github-reviewed/2026/02/GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-wgm6-9rvv-3438",
4-
"modified": "2026-06-08T23:59:21Z",
4+
"modified": "2026-06-09T14:28:34Z",
55
"published": "2026-02-18T00:56:30Z",
6+
"withdrawn": "2026-06-09T14:28:34Z",
67
"aliases": [
78
"CVE-2026-26957"
89
],
9-
"summary": "Libredesk has a SSRF Vulnerability in Webhooks",
10+
"summary": "Withdrawn Advisory: Libredesk has a SSRF Vulnerability in Webhooks",
1011
"details": "## Reconsidered - Working as designed. (Update 2026-05-28)\n\nLibredesk is a single-tenant, self-hosted application. Configuring outbound webhook URLs requires an admin-only permission that is not granted by default - the operator must explicitly assign it.\n\nAnyone holding this permission already has full administrative control over the application, and outbound HTTP to operator-chosen URLs is the documented purpose of the webhook feature. This is working as designed.\n\nA SECURITY.md documenting the threat model will be added to the repo shortly.\n\n------------------------------------------------------------------------------------------------------------------------------\n\n**Date:** 2025-12-07\n**Vulnerability:** Server-Side Request Forgery (SSRF)\n**Severity:** Medium\n**Component:** Webhooks Module\n\n## Executive Summary\nA critical security vulnerability exists in the LibreDesk Webhooks module that allows an authenticated \"Application Admin\" to compromise the underlying cloud infrastructure or internal corporate network where this service is being hosted.\n\nThe application fails to validate destination URLs for webhooks. This allows an attacker to force the server to make HTTP requests to arbitrary internal destinations.\n\n## Confirmed Attack Vectors\n\n### 1. Internal Port Scanning (Network Mapping)\nAttackers can map the internal network by observing the difference between successful connections and connection errors. This works even if the response body is not returned.\n\n**Proof of Exploitation (from Server Logs):**\n* **Open Port (8890)**: The server connects successfully.\n ```text\n timestamp=... level=info message=\"webhook delivered successfully\" ... status_code=200\n ```\n* **Closed Port (8891)**: The server fails to connect.\n ```text\n timestamp=... level=error message=\"webhook delivery failed\" ... error=\"... connect: connection refused\"\n ```\n\n**Impact**: An attacker can identify running services (databases, caches, internal apps) on the local network (e.g., `localhost`, `192.168.x.x`).\n\n### 2. Information Leakage (Error-Based)\nIf the internal service returns a non-2xx response (e.g., 403 Forbidden, 404 Not Found, 500 Error), the application **logs the full response body**.\n\n**Proof of Exploitation (from Server Logs):**\n```text\ntimestamp=... level=error message=\"webhook delivery failed\" ... \nresponse=\"{\\\"secret_key\\\": \\\"xxx123\\\", \\\"role\\\": \\\"admin\\\"}\"\n```\n\n**Impact**: An attacker can extract sensitive data by targeting endpoints that return errors or by forcing errors on internal services.\n\n## Technical Root Cause\n1. **Missing Input Validation**: `cmd/webhooks.go` only checks if the URL is empty, not if it resolves to a private IP.\n2. **Unrestricted HTTP Client**: `internal/webhook/webhook.go` uses a default `http.Client` that follows redirects and connects to any IP.\n3. **Verbose Error Logging**: The application logs the full response body on failure, creating a side-channel for data exfiltration.\n\n## Remediation Required\nTo prevent this, the application must implement **Defense in Depth**:\n\n1. **Input Validation**: Block URLs resolving to private IP ranges (RFC 1918) and Link-Local addresses.\n2. **Safe HTTP Client**: Use a custom `http.Transport` that verifies the destination IP address *after* DNS resolution to prevent DNS rebinding attacks.",
1112
"severity": [
1213
{
Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-w7jw-789q-3m8p",
4+
"modified": "2026-06-09T14:27:15Z",
5+
"published": "2026-06-09T14:27:15Z",
6+
"aliases": [
7+
"CVE-2026-9277"
8+
],
9+
"summary": "shell-quote quote() does not escape newlines in object .op values",
10+
"details": "### Summary\n\n`shell-quote`'s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (`\\n`, `\\r`, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal `\\n` as a command separator, so any content after it would execute as a second command.\n\nThe vulnerable code path is reachable in two ways. Neither requires the parser to misbehave — `parse()` only emits ops from a fixed control set — but both are documented API surface:\n\n1. **Direct construction.** A caller builds `{ op: '...\\n...' }` from external input (e.g. a deserialized argument array) and passes it to `quote()`.\n2. **`envFn` return.** `parse(cmd, envFn)` is documented to splice the return value of `envFn` into the result array when it is an object. An attacker-influenced data source consulted by `envFn` can introduce an object token whose `.op` reaches `quote()`.\n\n### Impact\n\nShell command injection in callers that pass object tokens with attacker-influenced `.op` values to `quote()` and then hand the result to a shell. The preconditions are narrower than ordinary string injection — they require the caller to feed object tokens into `quote()` — but object tokens are a public, documented part of the API surface, and `quote()` is intended to be a shell-safety boundary.\n\n### PoC\n\n```js\nconst { parse, quote } = require('shell-quote');\n\n// Direct construction\nquote([{ op: ';\\nid' }]);\n// → \"\\;\\n\\\\i\\\\d\" ← literal newline; second line executes as a command\n\n// Via parse() with an envFn returning attacker-shaped objects\nconst tokens = parse('echo $X', () => ({ op: ';\\nid' }));\nrequire('child_process').execSync(quote(tokens), { shell: true });\n// Executes `id` after `echo \\;`.\n```\n\nConfirmed under `sh`, `bash`, `dash`, and `zsh`.\n\n### Patch\n\nFixed by replacing the per-character escape with strict shape validation in `quote()`. The object-token branch now:\n\n- **`{ op }`** — `.op` must be a string from the same allowlist the parser emits (`||`, `&&`, `;;`, `|&`, `<(`, `<<<`, `>>`, `>&`, `<&`, `&`, `;`, `(`, `)`, `|`, `<`, `>`). Anything else throws `TypeError`. This is the direct fix for the reported issue and removes the entire class of `.op` injection.\n- **`{ op: 'glob', pattern }`** — `.pattern` must be a string with no line terminators. Glob metacharacters (`*`, `?`, `[`, `]`, `{`, `}`, `,`) pass through; all other shell-special characters are backslash-escaped. (Previously the pattern field was discarded entirely and the literal string `\\g\\l\\o\\b` was emitted — a latent bug, not security-relevant.)\n- **`{ comment }`** — `.comment` must be a string with no line terminators (line terminators would end the shell comment and resume command parsing — same injection shape).\n- **Any other object shape** — `TypeError`.\n\nThe fix is allowlist-based rather than a targeted regex tweak, so it closes the reported vector and forecloses adjacent ones (U+2028 / U+2029 line separators in `.op`, line terminators in comments, unknown-shape objects coerced through `.replace`).\n\n### Workarounds\n\nPrior to upgrading, callers that build object tokens from untrusted input should validate `.op` against the parser's operator set themselves, and never construct `{ op }` from attacker-controlled strings.\n\n### Credits\n\nReported by Akshat Sinha",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "shell-quote"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "1.1.0"
33+
},
34+
{
35+
"fixed": "1.8.4"
36+
}
37+
]
38+
}
39+
],
40+
"database_specific": {
41+
"last_known_affected_version_range": "<= 1.8.3"
42+
}
43+
}
44+
],
45+
"references": [
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
49+
},
50+
{
51+
"type": "ADVISORY",
52+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
57+
},
58+
{
59+
"type": "PACKAGE",
60+
"url": "https://github.com/ljharb/shell-quote"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://www.npmjs.com/package/shell-quote"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "http://www.openwall.com/lists/oss-security/2026/05/23/2"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-77",
74+
"CWE-78"
75+
],
76+
"severity": "CRITICAL",
77+
"github_reviewed": true,
78+
"github_reviewed_at": "2026-06-09T14:27:15Z",
79+
"nvd_published_at": "2026-05-22T14:16:30Z"
80+
}
81+
}

0 commit comments

Comments
 (0)