Skip to content

Commit 93882aa

Browse files
Advisory Database Sync
1 parent dd72815 commit 93882aa

90 files changed

Lines changed: 1510 additions & 154 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8xvp-7hj6-mcj9",
4+
"modified": "2026-05-29T15:30:13Z",
5+
"published": "2026-05-29T15:30:13Z",
6+
"aliases": [
7+
"CVE-2026-48501"
8+
],
9+
"summary": "GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands",
10+
"details": "### Summary\n\nGitHub CLI incorrectly includes an authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands.\n\n **Affected users:**\n\n - Authenticated `github.com` users who previously ran `gh attestation` commands, `gh release verify`, or `gh release verify-asset`: the `github.com` token was included in requests to `tuf-repo.github.com`, a GitHub Pages domain that is not a GitHub API endpoint. All authentication types are affected.\n - Users with `GH_ENTERPRISE_TOKEN` or `GITHUB_ENTERPRISE_TOKEN` set who previously ran `gh attestation` commands, `gh release verify`, or `gh release verify-asset`: the enterprise token was included in requests to external hosts `tuf-repo-cdn.sigstore.dev` and `tmaproduction.blob.core.windows.net`. These hosts are not operated by GitHub.\n\n### Details\n\nThe CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive.\n\nSpecifically, the host normalization logic collapses any `*.github.com` subdomain to `github.com`, so a request to `tuf-repo.github.com` (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to `github.com` and receives the user's github.com token. For hosts that don't match `github.com` or a known GHES instance at all, the resolver falls back to `GH_ENTERPRISE_TOKEN` if set.\n\nThe `gh attestation`, `gh release verify` and `gh release verify-asset` commands fetch data from several external hosts as part of their normal operation (TUF metadata from `tuf-repo.github.com` and `tuf-repo-cdn.sigstore.dev`, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them.\n\n### Impact\n\nTokens were transmitted in HTTP headers to the listed hosts during normal `gh attestation`, `gh release verify`, and `gh release verify-asset` operations. There is no evidence that tokens were logged, retained, or accessed by unauthorized parties. If a token were captured, it would grant the same access as the token holder, potentially including private repositories, organization resources, or enterprise administration depending on token type and permissions.\n\n### Remediation and mitigation\n\n1. Revoke authentication tokens used with the GitHub CLI: \n - [Personal access tokens](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)\n - [GitHub CLI OAuth app](https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps)\n2. Upgrade `gh` to `2.93.0`.\n3. Review personal [security logs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log) and any relevant [audit logs](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token) for actions associated with personal or enterprise accounts.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/cli/cli/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.93.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.92.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/cli/cli"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/cli/cli/releases/tag/v2.93.0"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-863"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-05-29T15:30:13Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/unreviewed/2022/03/GHSA-fxwp-hqgp-45qg/GHSA-fxwp-hqgp-45qg.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fxwp-hqgp-45qg",
4-
"modified": "2022-03-19T00:01:37Z",
4+
"modified": "2026-05-29T15:30:25Z",
55
"published": "2022-03-10T00:00:30Z",
66
"aliases": [
77
"CVE-2022-0715"

advisories/unreviewed/2022/05/GHSA-25r4-295r-fvqm/GHSA-25r4-295r-fvqm.json

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-25r4-295r-fvqm",
4-
"modified": "2022-05-24T16:56:24Z",
4+
"modified": "2026-05-29T15:30:21Z",
55
"published": "2022-05-24T16:56:24Z",
66
"aliases": [
77
"CVE-2019-6829"
88
],
99
"details": "A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (firmware version prior to V2.90) and Modicon M340 (firmware version prior to V3.10), which could cause a possible denial of service when writing to specific memory addresses in the controller over Modbus.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -21,6 +26,7 @@
2126
],
2227
"database_specific": {
2328
"cwe_ids": [
29+
"CWE-248",
2430
"CWE-755"
2531
],
2632
"severity": "HIGH",

advisories/unreviewed/2022/05/GHSA-5p66-4x5x-2x4r/GHSA-5p66-4x5x-2x4r.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-5p66-4x5x-2x4r",
4-
"modified": "2022-05-24T22:28:16Z",
4+
"modified": "2026-05-29T15:30:25Z",
55
"published": "2022-05-24T22:28:16Z",
66
"aliases": [
77
"CVE-2021-22791"
88
],
99
"details": "A CWE-787: Out-of-bounds Write vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project file exists in Modicon M580 CPU (part numbers BMEP* and BMEH*, all versions), Modicon M340 CPU (part numbers BMXP34*, all versions), Modicon MC80 (part numbers BMKC80*, all versions), Modicon Momentum Ethernet CPU (part numbers 171CBU*, all versions), PLC Simulator for EcoStruxureª Control Expert, including all Unity Pro versions (former name of EcoStruxureª Control Expert, all versions), PLC Simulator for EcoStruxureª Process Expert including all HDCS versions (former name of EcoStruxureª Process Expert, all versions), Modicon Quantum CPU (part numbers 140CPU*, all versions), Modicon Premium CPU (part numbers TSXP5*, all versions).",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

advisories/unreviewed/2022/05/GHSA-7w2v-5m57-6fj5/GHSA-7w2v-5m57-6fj5.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7w2v-5m57-6fj5",
4-
"modified": "2022-05-13T01:04:04Z",
4+
"modified": "2026-05-29T15:30:21Z",
55
"published": "2022-05-13T01:04:04Z",
66
"aliases": [
77
"CVE-2018-7792"
@@ -30,6 +30,7 @@
3030
],
3131
"database_specific": {
3232
"cwe_ids": [
33+
"CWE-327",
3334
"CWE-862"
3435
],
3536
"severity": "HIGH",

advisories/unreviewed/2022/05/GHSA-8h8v-4pgc-x2vp/GHSA-8h8v-4pgc-x2vp.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-8h8v-4pgc-x2vp",
4-
"modified": "2022-05-24T17:34:36Z",
4+
"modified": "2026-05-29T15:30:22Z",
55
"published": "2022-05-24T17:34:36Z",
66
"aliases": [
77
"CVE-2020-7563"
88
],
99
"details": "A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

advisories/unreviewed/2022/05/GHSA-93f9-wg2h-r6p5/GHSA-93f9-wg2h-r6p5.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-93f9-wg2h-r6p5",
4-
"modified": "2022-05-24T17:34:45Z",
4+
"modified": "2026-05-29T15:30:23Z",
55
"published": "2022-05-24T17:34:45Z",
66
"aliases": [
77
"CVE-2020-7565"
88
],
99
"details": "A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

advisories/unreviewed/2022/05/GHSA-cr3f-ppw7-pmqf/GHSA-cr3f-ppw7-pmqf.json

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-cr3f-ppw7-pmqf",
4-
"modified": "2022-05-24T16:46:11Z",
4+
"modified": "2026-05-29T15:30:21Z",
55
"published": "2022-05-24T16:46:11Z",
66
"aliases": [
77
"CVE-2018-7821"
88
],
99
"details": "An Environment (CWE-2) vulnerability exists in SoMachine Basic, all versions, and Modicon M221(all references, all versions prior to firmware V1.10.0.0) which could cause cycle time impact when flooding the M221 ethernet interface while the Ethernet/IP adapter is activated.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -21,6 +26,7 @@
2126
],
2227
"database_specific": {
2328
"cwe_ids": [
29+
"CWE-400",
2430
"CWE-770"
2531
],
2632
"severity": "HIGH",

advisories/unreviewed/2022/05/GHSA-f2f3-hcjw-63p3/GHSA-f2f3-hcjw-63p3.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-f2f3-hcjw-63p3",
4-
"modified": "2022-05-24T17:05:42Z",
4+
"modified": "2026-05-29T15:30:21Z",
55
"published": "2022-05-24T17:05:42Z",
66
"aliases": [
77
"CVE-2018-7794"
88
],
99
"details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service when reading data with invalid index using Modbus TCP.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

advisories/unreviewed/2022/05/GHSA-f3x2-w4cq-5v25/GHSA-f3x2-w4cq-5v25.json

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-f3x2-w4cq-5v25",
4-
"modified": "2022-05-24T17:42:41Z",
4+
"modified": "2026-05-29T15:30:23Z",
55
"published": "2022-05-24T17:42:41Z",
66
"aliases": [
77
"CVE-2021-22701"
88
],
99
"details": "A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{

0 commit comments

Comments
 (0)