Skip to content

Commit be16364

Browse files
1 parent d7339ab commit be16364

4 files changed

Lines changed: 240 additions & 0 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-555p-6grf-mh7f",
4+
"modified": "2026-06-08T23:04:48Z",
5+
"published": "2026-06-08T23:04:48Z",
6+
"aliases": [
7+
"CVE-2026-47712"
8+
],
9+
"summary": "Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`",
10+
"details": "### Impact\n\ndulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, \\), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f\"{i:04d}-{summary}.patch\").\n\nA malicious commit subject could therefore direct the generated patch file outside the requested outdir. Reduced examples:\n\n- x/../../x produced <outdir>/0001-x/../../x.patch, resolving\n two directories above outdir.\n- x\\..\\..\\x produced the equivalent escape on Windows, here \\ is also a path separator.\n\nRelated issues from the same root cause:\n\n- Subjects containing characters that are illegal in Windows filenames (e.g. :) caused format_patch to fail outright on Windows, where git would have succeeded.\n- Very long subjects produced excessively long filenames that could exceed filesystem limits; git truncates them.\n\nAnyone calling porcelain.format_patch (or the dulwich format-patch CLI) against untrusted commits - for example, a service that runs format-patch over user-supplied repositories or pull requests - could have patch files written to attacker-chosen locations within the process's write permissions.\n\n### Patches\n\nFixed in Dulwich 1.2.5. Users should upgrade.\n\n dulwich.patch.get_summary now mirrors git's format_sanitized_subject: only `[A-Za-z0-9._]` are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so format_patch can no longer be steered out of outdir via the commit subject.\n\n### Workarounds\n\nUntil upgrading, callers that pass untrusted commits to porcelain.format_patch can:\n\n- Use stdout=True and write the patch to a destination they control, rather than letting format_patch choose the filename.\n- Validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir.\n- Pre-screen commits and refuse to format any whose subject's first line contains /, \\, .., or other characters that are not safe on the target filesystem.\n\n### Resources\n\n- Fix commit: https://github.com/jelmer/dulwich/commit/c2446e51b\n- Affected API: dulwich.porcelain.format_patch / dulwich format-patch\n- Reference behavior: git's format_sanitized_subject in pretty.c",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "dulwich"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.24.0"
29+
},
30+
{
31+
"fixed": "1.2.5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-555p-6grf-mh7f"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/jelmer/dulwich/commit/c2446e51b"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/jelmer/dulwich"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-22"
55+
],
56+
"severity": "LOW",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-08T23:04:48Z",
59+
"nvd_published_at": null
60+
}
61+
}
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8ghr-w65f-j3qr",
4+
"modified": "2026-06-08T23:07:02Z",
5+
"published": "2026-06-08T23:07:02Z",
6+
"aliases": [
7+
"CVE-2026-47721"
8+
],
9+
"summary": "FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions",
10+
"details": "## Summary\n\nAn authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators.\n\n## Details\n\nThe Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications.\n\nAs a result, authenticated users with non-administrative roles could create or modify scheduled actions that execute privileged operations, including device value changes and server-side script execution.\n\nThe issue was fixed in version 1.3.2 by enforcing the appropriate permission checks for scheduler modifications.\n\n\n## Impact\n\nAn operator-level user in FUXA reaches the PLC-write and server-side-script-execution surface that the platform otherwise restricts to administrators. In a SCADA deployment those two privileges cover setpoint control and the automation scripting engine. Alice schedules a job that rewrites a pump's enable tag, opens a safety interlock, or runs a project script that walks the device tree. The scheduled-action model extends the attack: Alice does not need to keep a session open for the action to fire, and a repeating schedule re-applies her changes every cycle even if an admin reverts them manually.\n\n**CVSS 3.1**: `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` (Medium, 6.3). CWE-862.\n\n## Recommended Fix\n\nAdd `authJwt.haveAdminPermission(permission)` to both `POST /api/scheduler` and `DELETE /api/scheduler`, matching every other write endpoint that reaches `runtime.devices.setTagValue` or `runtime.scriptsMgr.runScript`.\n\n```javascript\nschedulerApp.post(\"/api/scheduler\", secureFnc, function(req, res) {\n if (res.statusCode === 403) {\n runtime.logger.error(\"api post scheduler: Tocken Expired\");\n return;\n }\n const permission = checkGroupsFnc(req);\n const isGuest = authJwt.isGuestUser(req.userId, req.userGroups);\n if (runtime.settings?.secureEnabled && (isGuest || !authJwt.haveAdminPermission(permission))) {\n res.status(401).json({error:\"unauthorized_error\", message: \"Unauthorized!\"});\n runtime.logger.error(\"api post scheduler: admin permission required\");\n return;\n }\n // ... rest unchanged ...\n});\n```\n\nApply the same change to the delete handler at `server/api/scheduler/index.js:102-112`. As defense in depth, the scheduler service should also validate each `deviceActions` entry against the creator's stored groups before execution (e.g., reject `onRunScript` on any scheduler whose author is not an admin at execution time).\n\n---\nA fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "fuxa-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.1.14-1243"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-8ghr-w65f-j3qr"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/frangoteam/FUXA"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.2"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-862"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-08T23:07:02Z",
59+
"nvd_published_at": null
60+
}
61+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-h9fj-c2qr-76g2",
4+
"modified": "2026-06-08T23:06:43Z",
5+
"published": "2026-06-08T23:06:43Z",
6+
"aliases": [
7+
"CVE-2026-47720"
8+
],
9+
"summary": "FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString",
10+
"details": "## Summary\n\nThe TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does not escape backslashes. TDengine's SQL parser treats `\\'` as a literal single quote inside a string, so a tag id of the form `x\\' OR 1=1--` escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted `sids` value through `GET /api/daq` or the Socket.IO `DAQ_QUERY` event and reads every row in `fuxa.meters`, which holds the historical tag values of every PLC the FUXA instance records.\n\n## Details\n\nThe TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries.\n\nA specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database.\n\nThis could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata.\n\nThe issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector.\n\n## Impact\n\nAn attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO `DAQ_QUERY` handler has no authorization check, and `/api/daq` accepts guest-level requests. No login is needed in the default configuration.\n\n**CVSS 3.1**: `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` (Medium, 5.3). CWE-89.\n---\nA fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "fuxa-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.1.14-1243"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-h9fj-c2qr-76g2"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/frangoteam/FUXA"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-89"
51+
],
52+
"severity": "MODERATE",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-06-08T23:06:43Z",
55+
"nvd_published_at": null
56+
}
57+
}
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-w86f-rf9w-h3x6",
4+
"modified": "2026-06-08T23:06:40Z",
5+
"published": "2026-06-08T23:06:40Z",
6+
"aliases": [
7+
"CVE-2026-47719"
8+
],
9+
"summary": "FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading",
10+
"details": "## Summary\n\nAn unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose `property.address` field names an arbitrary URL. FUXA's `DEVICE_WEBAPI_REQUEST` handler at `server/runtime/index.js:296` calls `axios.get(address)` server-side and broadcasts the full response body back on the same event via `io.emit`. The companion handler `DEVICE_PROPERTY` at `server/runtime/index.js:153` has the same miss against OPC UA and ODBC endpoints. Both handlers skip the `isSocketWriteAuthorized()` check that the other write-capable events (`DEVICE_VALUES` at line 182, `DEVICE_ENABLE` at line 358) call. Alice reads cloud instance metadata, scans internal services, and connects to any OPC UA server or ODBC database the FUXA host can reach, then receives the results.\n\n## Details\n\n**Vulnerable handlers**: `server/runtime/index.js:153-171, 296-316`:\n\n```javascript\nsocket.on(Events.IoEventTypes.DEVICE_PROPERTY, (message) => {\n try {\n if (message && message.endpoint && message.type) {\n devices.getSupportedProperty(message.endpoint, message.type).then(result => {\n message.result = result;\n io.emit(Events.IoEventTypes.DEVICE_PROPERTY, message);\n })\n // ...\n }\n }\n // ...\n});\n\nsocket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {\n try {\n if (message && message.property) {\n devices.getRequestResult(message.property).then(result => {\n message.result = result;\n io.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);\n })\n // ...\n }\n }\n // ...\n});\n```\n\n**Sink**: `server/runtime/devices/httprequest/index.js:471` for the webapi path:\n\n```javascript\nif (property.method === 'GET') {\n axios.get(property.address).then(res => {\n resolve(res.data);\n // ...\n```\n\nAlice fully controls `property.address`, and `io.emit` echoes the response body back on the same event. For the ODBC variant, `server/runtime/devices/odbc/index.js` builds the connection string from `endpoint.address` plus `endpoint.uid` and `endpoint.pwd`, so Alice supplies credentials and targets any reachable ODBC server.\n\n**Contrast**: `server/runtime/index.js:182` (the DEVICE_VALUES write handler) gates the exact same kind of action behind `isSocketWriteAuthorized(socket)`. The two handlers above skip that check.\n\nReachability: neither handler performs any authorization check, so both modes reach the sinks. `secureEnabled=true` does not close the gap because the Socket.IO connect block at `server/runtime/index.js:114-120` auto-issues a guest token to any client that connects without one, and the handlers run regardless of `socket.isAuthenticated`. This is the same pattern GHSA-vwcg-c828-9822's note warned about: enabling authentication does not mitigate the missing check here.\n\n\n## Impact\n\nAlice uses FUXA as a read-SSRF oracle against any HTTP(S) service the FUXA host can reach, with the response body delivered back to her Socket.IO session. On cloud-hosted SCADA deployments this exfiltrates IAM credentials from the instance metadata service. On OT networks it reaches internal OPC UA servers, ODBC databases, and administrative consoles that have no other external exposure. The ODBC variant accepts attacker-supplied credentials, so Alice authenticates to any ODBC server that trusts connections from the FUXA host. The attack works against `secureEnabled=true` deployments as well as the default; no operator interaction required.\n\n**CVSS 3.1**: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N` (High, 8.2). CWE-918.\n\n## Recommended Fix\n\nAdd the existing `isSocketWriteAuthorized(socket)` check at the top of both handlers, matching the pattern used by `DEVICE_VALUES` and `DEVICE_ENABLE`. Also switch `io.emit` to `socket.emit` so the response scopes to the requesting socket instead of broadcasting to every connected client. For defense in depth, validate `property.address` against an allowlist of schemes and reject private, loopback, and link-local address ranges before calling `axios.get` or the device connect paths.\n\n```javascript\nsocket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {\n try {\n if (!isSocketWriteAuthorized(socket)) {\n logger.warn(`${Events.IoEventTypes.DEVICE_WEBAPI_REQUEST}: unauthorized request from ${socket.userId || 'guest'}`);\n return;\n }\n if (message && message.property) {\n // ... validate property.address against allowlist ...\n devices.getRequestResult(message.property).then(result => {\n message.result = result;\n socket.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);\n })\n // ...\n }\n }\n // ...\n});\n```\n\nApply the same three changes (auth check, `socket.emit`, address validation) to `DEVICE_PROPERTY`.\n\n---\nA fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "fuxa-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.1.14-1243"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-w86f-rf9w-h3x6"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/frangoteam/FUXA"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.2"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-918"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-08T23:06:40Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)