Skip to content

Commit d1a7d7f

Browse files
1 parent 0117193 commit d1a7d7f

8 files changed

Lines changed: 72 additions & 14 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-4f8g-77mw-3rxc/GHSA-4f8g-77mw-3rxc.json

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-4f8g-77mw-3rxc",
4-
"modified": "2026-04-28T18:29:47Z",
4+
"modified": "2026-06-08T23:25:13Z",
55
"published": "2026-04-09T17:36:53Z",
66
"aliases": [
77
"CVE-2026-42429"
88
],
99
"summary": "OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`",
1010
"details": "## Impact\n\nGateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`.\n\nPlugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `2026.1.29`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @smaeljaish771 for reporting.",
1111
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
15+
},
1216
{
1317
"type": "CVSS_V4",
1418
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
@@ -40,18 +44,31 @@
4044
"type": "WEB",
4145
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc"
4246
},
47+
{
48+
"type": "ADVISORY",
49+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42429"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
54+
},
4355
{
4456
"type": "PACKAGE",
4557
"url": "https://github.com/openclaw/openclaw"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication"
4662
}
4763
],
4864
"database_specific": {
4965
"cwe_ids": [
50-
"CWE-269"
66+
"CWE-269",
67+
"CWE-863"
5168
],
5269
"severity": "LOW",
5370
"github_reviewed": true,
5471
"github_reviewed_at": "2026-04-09T17:36:53Z",
55-
"nvd_published_at": null
72+
"nvd_published_at": "2026-04-28T19:37:46Z"
5673
}
5774
}

advisories/github-reviewed/2026/04/GHSA-vw3h-q6xq-jjm5/GHSA-vw3h-q6xq-jjm5.json

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,21 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-vw3h-q6xq-jjm5",
4-
"modified": "2026-05-05T11:49:28Z",
4+
"modified": "2026-06-08T23:25:32Z",
55
"published": "2026-04-17T21:48:36Z",
66
"aliases": [
77
"CVE-2026-42437"
88
],
99
"summary": "OpenClaw: Voice-call realtime WebSocket accepted oversized frames",
1010
"details": "## Summary\n\nVoice-call realtime WebSocket accepted oversized frames.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.4.9 < 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for deployments exposing that webhook path.\n\n## Technical Details\n\nThe fix rejects oversized realtime WebSocket frames before processing them.\n\n## Fix\n\nThe issue was fixed in #63890. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `afadb7dae6738819ad9c7d2597ace0516957d20e`\n- PR: #63890\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Reporters\n\nThanks to G0odUser from ADLab of VenusTech\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.",
1111
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
},
1216
{
1317
"type": "CVSS_V4",
14-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
1519
}
1620
],
1721
"affected": [
@@ -40,6 +44,10 @@
4044
"type": "WEB",
4145
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5"
4246
},
47+
{
48+
"type": "ADVISORY",
49+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42437"
50+
},
4351
{
4452
"type": "WEB",
4553
"url": "https://github.com/openclaw/openclaw/pull/63890"
@@ -51,6 +59,10 @@
5159
{
5260
"type": "PACKAGE",
5361
"url": "https://github.com/openclaw/openclaw"
62+
},
63+
{
64+
"type": "WEB",
65+
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path"
5466
}
5567
],
5668
"database_specific": {
@@ -61,6 +73,6 @@
6173
"severity": "HIGH",
6274
"github_reviewed": true,
6375
"github_reviewed_at": "2026-04-17T21:48:36Z",
64-
"nvd_published_at": null
76+
"nvd_published_at": "2026-05-05T12:16:18Z"
6577
}
6678
}

advisories/github-reviewed/2026/05/GHSA-cfw5-68c4-ffqp/GHSA-cfw5-68c4-ffqp.json

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-cfw5-68c4-ffqp",
4-
"modified": "2026-05-08T19:17:45Z",
4+
"modified": "2026-06-08T23:27:29Z",
55
"published": "2026-05-08T19:17:45Z",
66
"aliases": [
77
"CVE-2026-44680"
@@ -65,10 +65,22 @@
6565
"type": "WEB",
6666
"url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp"
6767
},
68+
{
69+
"type": "ADVISORY",
70+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44680"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/mikro-orm/mikro-orm/pull/7653"
75+
},
6876
{
6977
"type": "WEB",
7078
"url": "https://github.com/mikro-orm/mikro-orm/pull/7654"
7179
},
80+
{
81+
"type": "WEB",
82+
"url": "https://github.com/mikro-orm/mikro-orm/pull/7656"
83+
},
7284
{
7385
"type": "WEB",
7486
"url": "https://github.com/mikro-orm/mikro-orm/pull/7657"
@@ -85,6 +97,6 @@
8597
"severity": "HIGH",
8698
"github_reviewed": true,
8799
"github_reviewed_at": "2026-05-08T19:17:45Z",
88-
"nvd_published_at": null
100+
"nvd_published_at": "2026-05-26T17:16:46Z"
89101
}
90102
}

advisories/github-reviewed/2026/05/GHSA-ffg9-j72f-j6xm/GHSA-ffg9-j72f-j6xm.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-ffg9-j72f-j6xm",
4-
"modified": "2026-05-15T23:44:45Z",
4+
"modified": "2026-06-08T23:26:12Z",
55
"published": "2026-05-14T13:13:56Z",
66
"aliases": [
77
"CVE-2026-24899"
88
],
99
"summary": "Fleet Windows MDM Azure AD JWT Authentication Bypass",
1010
"details": "### Summary\n\nA vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @zaddy6 for responsibly reporting this issue.",
1111
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
15+
},
1216
{
1317
"type": "CVSS_V4",
1418
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/05/GHSA-fp53-qcf8-2xx2/GHSA-fp53-qcf8-2xx2.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fp53-qcf8-2xx2",
4-
"modified": "2026-05-08T19:09:04Z",
4+
"modified": "2026-06-08T23:27:22Z",
55
"published": "2026-05-08T19:09:04Z",
66
"aliases": [
77
"CVE-2026-44502"
@@ -43,6 +43,10 @@
4343
"type": "WEB",
4444
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2"
4545
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44502"
49+
},
4650
{
4751
"type": "WEB",
4852
"url": "https://github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7"
@@ -63,6 +67,6 @@
6367
"severity": "MODERATE",
6468
"github_reviewed": true,
6569
"github_reviewed_at": "2026-05-08T19:09:04Z",
66-
"nvd_published_at": null
70+
"nvd_published_at": "2026-05-26T17:16:46Z"
6771
}
6872
}

advisories/github-reviewed/2026/05/GHSA-hw27-4v2q-5qff/GHSA-hw27-4v2q-5qff.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-hw27-4v2q-5qff",
4-
"modified": "2026-05-20T15:34:40Z",
4+
"modified": "2026-06-08T23:27:33Z",
55
"published": "2026-05-20T15:34:40Z",
66
"aliases": [
77
"CVE-2026-46431"
@@ -43,6 +43,10 @@
4343
"type": "WEB",
4444
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-hw27-4v2q-5qff"
4545
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46431"
49+
},
4650
{
4751
"type": "PACKAGE",
4852
"url": "https://github.com/xyproto/algernon"
@@ -55,6 +59,6 @@
5559
"severity": "MODERATE",
5660
"github_reviewed": true,
5761
"github_reviewed_at": "2026-05-20T15:34:40Z",
58-
"nvd_published_at": null
62+
"nvd_published_at": "2026-05-26T17:16:51Z"
5963
}
6064
}

advisories/github-reviewed/2026/05/GHSA-j74f-g7vx-fh4x/GHSA-j74f-g7vx-fh4x.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@
5959
],
6060
"database_specific": {
6161
"cwe_ids": [
62+
"CWE-78",
6263
"CWE-89"
6364
],
6465
"severity": "HIGH",

advisories/github-reviewed/2026/05/GHSA-xh8f-g2qw-gcm7/GHSA-xh8f-g2qw-gcm7.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xh8f-g2qw-gcm7",
4-
"modified": "2026-05-13T14:20:03Z",
4+
"modified": "2026-06-08T23:26:31Z",
55
"published": "2026-05-05T20:05:05Z",
66
"aliases": [
77
"CVE-2026-42600"
88
],
99
"summary": "MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint",
1010
"details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nA path traversal vulnerability in MinIO's `ReadMultiple` internode storage-REST\nendpoint allows a caller holding the cluster root JWT to read files from\noutside the configured drive roots, bounded only by the MinIO process UID.\n\nDistributed-erasure (multi-node) MinIO deployments are impacted. Single-node\nstandalone deployments do not register the route and are not affected. The\nattack requires an HS512 JWT signed with `MINIO_ROOT_PASSWORD` and carrying\n`accessKey = MINIO_ROOT_USER` — the same secret every peer in the cluster\nholds to authenticate internode traffic, so a compromised peer or any actor in\npossession of the root credential can mint one.\n\nThe `ReadMultiple` handler (`cmd/storage-rest-server.go`) decodes a msgpack\n`ReadMultipleReq` body containing `Bucket`, `Prefix`, and `Files` fields and\nforwards them to `xlStorage.ReadMultiple` (`cmd/xl-storage.go`) without\nvalidation:\n\n```go\nvolumeDir := pathJoin(s.drivePath, req.Bucket) // traversal resolves here\nfor _, f := range req.Files {\n fullPath := pathJoin(volumeDir, req.Prefix, f)\n data, mt, err = s.readAllDataWithDMTime(ctx, req.Bucket, volumeDir, fullPath)\n}\n```\n\n`pathJoin` calls `path.Clean`, which resolves `..` components and produces an\nabsolute path anywhere on the filesystem — it is not a root jail. The global\n`setRequestValidityMiddleware` rejects `..` in `r.URL.Path` and `r.Form` but\ndoes not inspect request bodies, so msgpack-encoded traversal bypasses it.\nSibling storage methods (`StatInfoFile`, `ReadFileHandler`, `ReadVersion`)\nvalidate their volume argument through `s.getVolDir(volume)`, which rejects\n`..`; `ReadMultiple` skips this call.\n\nThe attacker sends `POST /minio/storage/{drivePath}/v63/rmpl` with a\nmsgpack-encoded body carrying `../` sequences in the `Bucket` field. The\nserver opens the resulting path via `os.OpenFile` with `O_RDONLY|O_NOATIME`\nand returns its contents in the msgpack response stream.\n\n**Impact by deployment:**\n\n- **Bare-metal with `User=minio` in the systemd unit** — the `O_NOATIME`\n ownership check bounds the read to files owned by the MinIO UID. Reachable\n secrets include TLS private keys, KMS/KES key material, systemd credentials,\n and data belonging to other tenants sharing the same UID on the host.\n Secrets leaked this way persist across cluster credential rotation.\n\n- **Containerized running as UID 0** (the historical default for the official\n Docker image, `docker-compose` examples, and Helm charts without\n `securityContext.runAsNonRoot`) — the primitive escalates to arbitrary\n host-filesystem disclosure: `/etc/shadow`, `/root/**`, Kubernetes\n service-account tokens, cloud-init metadata caches.\n\n**Affected components:** `cmd/storage-rest-server.go` (`ReadMultiple` handler),\n`cmd/xl-storage.go` (`xlStorage.ReadMultiple`).\n\n**CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory\n— 'Path Traversal')\n\n**CVSS v4.0 Score:** 6.9 (Medium)\n\n**Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`\n\n### Affected Versions\n\nAll MinIO releases from `RELEASE.2022-07-24T01-54-52Z` through the final\nrelease of the minio/minio open-source project, `RELEASE.2025-09-07T16-13-09Z`.\n\nThe vulnerability was introduced in commit\n[`f939d1c18`](https://github.com/minio/minio/commit/f939d1c1831c71f4b1c14df6d9cd62b12ccce7a3)\n(\"Independent Multipart Uploads\",\n[PR #15346](https://github.com/minio/minio/pull/15346)), which added the\n`ReadMultiple` storage-REST endpoint as part of the multipart upload\nredesign. The first affected release is `RELEASE.2022-07-24T01-54-52Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor `RELEASE.2026-04-14T21-32-45Z` (recommended\nupgrade target). The fix — which removed the `ReadMultiple` handler, the\ncorresponding storage-driver method, the msgpack datatypes, the REST-client\nwrapper, and the route registration — first shipped in **MinIO AIStor\n`RELEASE.2024-10-23T19-38-07Z`**. Every AIStor release from\n`RELEASE.2024-10-23T19-38-07Z` onward is unaffected; users should upgrade to\n`RELEASE.2026-04-14T21-32-45Z` or later to pick up the accumulated fixes and\nimprovements shipped since.\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20260414213245.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260414213245.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260414213245.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260414213245.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260414213245.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260414213245.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260414213245.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260414213245.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-04-14T21-32-45Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-14T21-32-45Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Rotate the root credential and restrict who holds it.** The exploit\n requires a JWT signed with `MINIO_ROOT_PASSWORD`. Treat the root credential\n as the host-filesystem disclosure primitive that it is: rotate it after any\n suspected exposure, store it only in the secret manager that bootstraps the\n cluster, and do not hand it to applications or operators who only need\n object-level access.\n\n- **Do not run the MinIO container as UID 0.** Set\n `securityContext.runAsNonRoot: true` (and a non-zero `runAsUser`) in\n Kubernetes manifests, or add `--user` to `docker run`. This reduces the\n blast radius from arbitrary host-filesystem disclosure to MinIO-UID-owned\n files only.\n\n- **Restrict the internode storage-REST port at the network layer.** In\n distributed deployments, the storage-REST route is served on the same port\n as the S3 API by default. Where feasible, use `--internode-port` to expose\n internode traffic on a separate interface reachable only from other cluster\n peers, and block that interface from client networks.\n\n### Credits\n\n- **Finders:** Discovered by Claude, Anthropic's AI assistant, and triaged by\n **Adrian Denkiewicz** at **Doyensec** in collaboration with **Anthropic\n Research**.\n\n### Resources\n\n- Introducing commit: [`f939d1c18`](https://github.com/minio/minio/commit/f939d1c1831c71f4b1c14df6d9cd62b12ccce7a3)\n ([PR #15346](https://github.com/minio/minio/pull/15346))\n- [CWE-22 — Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)\n- [CVE-2022-35919 — MinIO admin-authenticated path traversal in server-update endpoint (same class, different channel)](https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg)\n- [MinIO AIStor](https://min.io/aistor)",
1111
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
15+
},
1216
{
1317
"type": "CVSS_V4",
1418
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

0 commit comments

Comments
 (0)