Skip to content

Commit 9d3cf6e

Browse files
Advisory Database Sync
1 parent 4ce9fdc commit 9d3cf6e

37 files changed

Lines changed: 1092 additions & 55 deletions

File tree

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-87m4-826x-3crx",
4+
"modified": "2026-06-08T23:00:14Z",
5+
"published": "2026-06-08T23:00:14Z",
6+
"aliases": [
7+
"CVE-2026-45034"
8+
],
9+
"summary": "PHPSpreadsheet has a patch bypass for CVE-2026-34084 ",
10+
"details": "## Summary\n\nCVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The check is not equivalent to \"does the path contain a wrapper\". When the input has the form `phar:///path/file.phar/inner` with three or more slashes after the scheme, `parse_url` returns boolean `false` instead of returning the scheme string. The `is_string($scheme)` branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats `phar:///...` as a valid phar wrapper and opens the underlying phar file. The result is that `IOFactory::load($attackerPath)` walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via `is_file` is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods `__wakeup` and `__destruct` of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls `Phar::getMetadata`.\n\n## Vulnerable code\n\nThe file `vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/File.php` is byte identical across all six latest tags listed below:\n\n```php\npublic static function prohibitWrappers(string $filename): void\n{\n $scheme = parse_url($filename, PHP_URL_SCHEME);\n if (is_string($scheme) && strlen($scheme) > 1) {\n throw new Exception(\"Stream wrappers are not permitted as file paths: {$filename}\");\n }\n}\n```\n\nFor input `phar://x/dummy.csv` the call returns the string `\"phar\"` and the throw fires correctly. For input `phar:///work/exploit.phar/dummy.csv` the same call returns `false` and the throw is skipped, which is the bypass.\n\n## Confirmed affected versions\n\nTested on 2026-05-03. The `prohibitWrappers` source on disk is identical across all six tags.\n\n| Branch | Latest tag | PHP under test | Result |\n|---|---|---|---|\n| 1.x | 1.30.4 | 7.4 | bypass plus full RCE, gadget wrote marker file |\n| 2.1.x | 2.1.16 | 8.3 | bypass |\n| 2.4.x | 2.4.5 | 8.3 | bypass |\n| 3.10.x | 3.10.5 | 8.3 | bypass |\n| 5.6.x | 5.6.0 | 8.3 | bypass |\n| 5.7.x | 5.7.0 | 8.3 | bypass |\n\nVersion 1.30.4 is the latest tag of the 1.x branch, which is the only branch that still supports PHP 7.x. Version 5.7.0 is the latest tag overall on Packagist at the time of testing.\n\nNo branch beyond 1.30.x allows any release before Php 8. For branches beyond 1.30.x, although the code identified above is in error, and will be corrected, it does not lead to any security exposure. That would require a `Phar::getMetadata` call, which is not present in PhpSpreadsheet. If possible and reasonable, the release notes for the fix on the other branches will include `release-note: security`.\n\n## Reproduction\n\nRequires Docker only, no local PHP install. Run:\n\n```sh\nbash run.sh\n```\n\nThe script does the following in order: build `exploit.phar` using `php:7.4-cli` with `phar.readonly=0`, install `phpoffice/phpspreadsheet:5.7.0` through composer and run `exploit.php` on `php:8.3-cli` to show that the bypass still works against the latest tag, then install `1.30.4` and run again on `php:7.4-cli` to show the full RCE chain. All output is teed to `evidence.txt`.\n\n`exploit.php` ships two controls. The negative control uses `phar://x/dummy.csv` to confirm that the patch still rejects the standard wrapper form. The positive control uses `phar:///work/exploit.phar/dummy.csv` to show that the three slash variant slips through. On PHP 7.4 the gadget writes the file `pwned_marker` containing the lines `WAKEUP: phpspreadsheet-bypass` and `DESTRUCT: phpspreadsheet-bypass`, which is the proof that attacker controlled code ran inside the victim process.\n\n## Suggested fix\n\nDo not rely on `parse_url` to detect wrappers, because its behavior depends on the slash count and on the PHP version. Either of these is safe:\n\n```php\npublic static function prohibitWrappers(string $filename): void\n{\n if (str_contains($filename, '://')) {\n throw new Exception(\"Stream wrappers are not permitted as file paths: {$filename}\");\n }\n}\n```\n\nAlternatively, run the path through `realpath()` first, since `realpath` returns `false` for any wrapper prefixed path.\n\n## Files in this report\n- [build-phar.php](https://github.com/user-attachments/files/27317345/build-phar.php): builds `exploit.phar` with a gadget object in its metadata.\n- [exploit.php](https://github.com/user-attachments/files/27317343/exploit.php): main PoC, with the negative and positive controls.\n- [exploit.phar](https://github.com/user-attachments/files/27317356/exploit.phar.txt): prebuilt phar, the gadget writes a marker when deserialized.\n- [composer.json](https://github.com/user-attachments/files/27317341/composer.json): spec used by composer to install the version under test.\n- [run.sh](https://github.com/user-attachments/files/27317342/run.sh): end to end reproducer through Docker.\n- [evidence.txt](https://github.com/user-attachments/files/27317339/evidence.txt): log captured from the most recent `run.sh` invocation.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "phpoffice/phpspreadsheet"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.30.5"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.30.4"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-87m4-826x-3crx"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
49+
},
50+
{
51+
"type": "ADVISORY",
52+
"url": "https://github.com/advisories/GHSA-q4q6-r8wh-5cgh"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-502"
58+
],
59+
"severity": "CRITICAL",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-06-08T23:00:14Z",
62+
"nvd_published_at": null
63+
}
64+
}
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cmm3-54f8-px4j",
4+
"modified": "2026-06-08T22:59:43Z",
5+
"published": "2026-06-08T22:59:43Z",
6+
"aliases": [
7+
"CVE-2026-44894"
8+
],
9+
"summary": "Netty's Default QUIC token handler accepts any client-supplied token",
10+
"details": "NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "io.netty:netty-codec-classes-quic"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.2.0.Final"
29+
},
30+
{
31+
"fixed": "4.2.15.Final"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.2.14.Final"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/netty/netty"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-940"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-06-08T22:59:43Z",
62+
"nvd_published_at": null
63+
}
64+
}
Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-x4gw-5cx5-pgmh",
4+
"modified": "2026-06-08T23:01:04Z",
5+
"published": "2026-06-08T23:01:04Z",
6+
"aliases": [
7+
"CVE-2026-45416"
8+
],
9+
"summary": "Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes",
10+
"details": "SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "io.netty:netty-handler"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.2.0.Final"
29+
},
30+
{
31+
"fixed": "4.2.15.Final"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.2.14.Final"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Maven",
43+
"name": "io.netty:netty-handler"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "4.1.135.Final"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 4.1.134.Final"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh"
67+
},
68+
{
69+
"type": "PACKAGE",
70+
"url": "https://github.com/netty/netty"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
75+
},
76+
{
77+
"type": "WEB",
78+
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
79+
}
80+
],
81+
"database_specific": {
82+
"cwe_ids": [
83+
"CWE-770"
84+
],
85+
"severity": "HIGH",
86+
"github_reviewed": true,
87+
"github_reviewed_at": "2026-06-08T23:01:04Z",
88+
"nvd_published_at": null
89+
}
90+
}
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-22j3-3q48-2rmj",
4+
"modified": "2026-06-08T21:31:50Z",
5+
"published": "2026-06-08T21:31:50Z",
6+
"aliases": [
7+
"CVE-2026-35058"
8+
],
9+
"details": "Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35058"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://community.openvpn.net/ReleaseHistory#openvpn-2620-released-22-april-2026"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://community.openvpn.net/ReleaseHistory#openvpn-272-released-22-april-2026"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://community.openvpn.net/Security%20Announcements/CVE-2026-35058"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2381"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-617"
42+
],
43+
"severity": "MODERATE",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-06-08T20:17:00Z"
47+
}
48+
}

advisories/unreviewed/2026/06/GHSA-2756-g6w2-6hv2/GHSA-2756-g6w2-6hv2.json

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2756-g6w2-6hv2",
4-
"modified": "2026-06-08T18:31:49Z",
4+
"modified": "2026-06-08T21:31:50Z",
55
"published": "2026-06-08T18:31:49Z",
66
"aliases": [
77
"CVE-2026-44185"
88
],
99
"details": "Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -23,7 +28,7 @@
2328
"cwe_ids": [
2429
"CWE-126"
2530
],
26-
"severity": null,
31+
"severity": "HIGH",
2732
"github_reviewed": false,
2833
"github_reviewed_at": null,
2934
"nvd_published_at": "2026-06-08T16:16:40Z"

advisories/unreviewed/2026/06/GHSA-2p7m-6jhq-26cm/GHSA-2p7m-6jhq-26cm.json

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2p7m-6jhq-26cm",
4-
"modified": "2026-06-08T18:31:49Z",
4+
"modified": "2026-06-08T21:31:50Z",
55
"published": "2026-06-08T18:31:49Z",
66
"aliases": [
77
"CVE-2026-42536"
88
],
99
"details": "Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -23,7 +28,7 @@
2328
"cwe_ids": [
2429
"CWE-122"
2530
],
26-
"severity": null,
31+
"severity": "HIGH",
2732
"github_reviewed": false,
2833
"github_reviewed_at": null,
2934
"nvd_published_at": "2026-06-08T16:16:39Z"

advisories/unreviewed/2026/06/GHSA-37fh-f35c-r73m/GHSA-37fh-f35c-r73m.json

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-37fh-f35c-r73m",
4-
"modified": "2026-06-05T18:31:39Z",
4+
"modified": "2026-06-08T21:31:49Z",
55
"published": "2026-06-05T18:31:39Z",
66
"aliases": [
77
"CVE-2026-11362"
88
],
99
"details": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -31,7 +36,7 @@
3136
"cwe_ids": [
3237
"CWE-93"
3338
],
34-
"severity": null,
39+
"severity": "CRITICAL",
3540
"github_reviewed": false,
3641
"github_reviewed_at": null,
3742
"nvd_published_at": "2026-06-05T16:16:41Z"

0 commit comments

Comments
 (0)