Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d310046fe751 · 2025-06-19T16:20:33.000Z
GHSA-8qjw-9xgm-c9ff GHSA-9x53-gr7p-4qf5 GHSA-f5cx-h789-j959 GHSA-rqpx-f6rc-7hm5 GHSA-9x53-gr7p-4qf5
diff --git a/advisories/github-reviewed/2025/06/GHSA-8qjw-9xgm-c9ff/GHSA-8qjw-9xgm-c9ff.json b/advisories/github-reviewed/2025/06/GHSA-8qjw-9xgm-c9ff/GHSA-8qjw-9xgm-c9ff.json
@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8qjw-9xgm-c9ff",
+  "modified": "2025-06-19T16:19:48Z",
+  "published": "2025-06-19T16:19:48Z",
+  "aliases": [
+    "CVE-2025-48059"
+  ],
+  "summary": "PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the `RegexCriterion` class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an `Identifiable` object via `Pattern.compile(regex).matcher(id).find()`.\n\nTo trigger **polynomial ReDoS** in `RegexCriterion`, **two attacker-controlled conditions** must be met:\n- **Control over the regex input** passed into the constructor:\n  - _Example:_ An attacker supplies a malicious pattern such as `(.*a){10000}`.\n- **Control or influence over the output of `Identifiable.getId()`**:\n  -  _Example:_ A long string like `\"aaaa...!\"` that forces excessive backtracking.\n\nIf both conditions are satisfied, a malicious actor can cause **significant CPU exhaustion** through repeated or recursive `filter(...)` calls — especially if performed over large network models or filtering operations.\nWhile this class does not handle file or memory data directly, its reliance on untrusted regular expressions and potentially attacker-controlled identifiers makes it vulnerable to **polynomial ReDoS** under the right conditions. This risk is amplified when the library is used in dynamic or scriptable environments where external users control either criterion construction or network object identifiers.\nAlthough not as dangerous as _catastrophic exponential ReDoS_, the polynomial pattern still induces significant performance\ndegradation as input size increases.\n\n#### Am I impacted?\nSince `RegexCriterion` are used to define contingencies or limit reductions, you are vulnerable if:\n- you allow untrusted users to define contingency lists or limit reductions using this criterion;\n- OR you load untrusted contingencies or limit reductions files\n\nAND use them with a network containing untrusted identifiers.\n\n### Patches\ncom.powsybl:powsybl-iidm-criteria:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.powsybl:powsybl-iidm-criteria"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.3.0"
+            },
+            {
+              "fixed": "6.7.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.7.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.powsybl:powsybl-contingency-api"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "6.3.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-8qjw-9xgm-c9ff"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/powsybl/powsybl-core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-06-19T16:19:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/06/GHSA-9x53-gr7p-4qf5/GHSA-9x53-gr7p-4qf5.json b/advisories/github-reviewed/2025/06/GHSA-9x53-gr7p-4qf5/GHSA-9x53-gr7p-4qf5.json
@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9x53-gr7p-4qf5",
+  "modified": "2025-06-19T16:19:58Z",
+  "published": "2025-06-19T12:30:34Z",
+  "aliases": [
+    "CVE-2025-32896"
+  ],
+  "summary": "Apache SeaTunnel: Unauthenticated insecure access",
+  "details": "# Summary\n\nUnauthorized users can perform Arbitrary File Read and Deserialization\nattack by submit job using restful api-v1.\n\n# Details\nUnauthorized users can access `/hazelcast/rest/maps/submit-job` to submit\njob.\nAn attacker can set extra params in mysql url to perform Arbitrary File\nRead and Deserialization attack.\n\nThis issue affects Apache SeaTunnel: <=2.3.10\n\n# Fixed\n\nUsers are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.seatunnel:seatunnel-engine-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.11"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.seatunnel:seatunnel-engine-common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.11"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32896"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/seatunnel/pull/9010"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/seatunnel/commit/53325aa3e76e3939f41a4bf3eaaf3ee56f13f311"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/seatunnel"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/04/12/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-06-19T16:19:58Z",
+    "nvd_published_at": "2025-06-19T11:15:24Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/06/GHSA-f5cx-h789-j959/GHSA-f5cx-h789-j959.json b/advisories/github-reviewed/2025/06/GHSA-f5cx-h789-j959/GHSA-f5cx-h789-j959.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f5cx-h789-j959",
+  "modified": "2025-06-19T16:19:16Z",
+  "published": "2025-06-19T16:19:16Z",
+  "aliases": [
+    "CVE-2025-47771"
+  ],
+  "summary": "PowSyBl Core allows deserialization of untrusted SparseMatrix data",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is a disclosure for a security vulnerability in the `SparseMatrix` class. The vulnerability is a deserialization issue that\ncan lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the `read` method\nof the `SparseMatrix` class.\nThis method takes in an `InputStream` and returns a `SparseMatrix` object. We consider this to be a method that can be\nexposed to untrusted input in at least two use cases:\n- A user can adopt this method in an application where users can submit an `InputStream` and the application parses it into\na `SparseMatrix`. This can be a multi-tenant application that hosts many different users perhaps with different privilege\nlevels.\n- A user adopts the method for a local tool but receives the `InputStream` from external sources.\n\n#### Am I impacted?\nYou are vulnerable if you import non-controlled serialized `SparseMatrix` objects.\n\n\n### Patches\ncom.powsybl:powsybl-math:6.7.2 and higher\n\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not use `SparseMatrix` deserialization (`SparseMatrix.read(...)` methods).\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.powsybl:powsybl-math"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.3.0"
+            },
+            {
+              "fixed": "6.7.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.7.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-f5cx-h789-j959"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/commit/8ed16ce41683c4aef5f6aa1dd5ae8642aa5ed2bd"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/powsybl/powsybl-core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-06-19T16:19:16Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/06/GHSA-rqpx-f6rc-7hm5/GHSA-rqpx-f6rc-7hm5.json b/advisories/github-reviewed/2025/06/GHSA-rqpx-f6rc-7hm5/GHSA-rqpx-f6rc-7hm5.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rqpx-f6rc-7hm5",
+  "modified": "2025-06-19T16:19:33Z",
+  "published": "2025-06-19T16:19:33Z",
+  "aliases": [
+    "CVE-2025-48058"
+  ],
+  "summary": "PowSyBl Core contains Polynomial REDoS’es",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the PowSyBl's DataSource mechanism. When the `listNames(String regex)` method is called on a DataSource, the user-supplied regular expression (which may be unvalidated) is compiled and evaluated against a collection of file-like resource names.\n\nTo trigger a **polynomial ReDoS** via this mechanism, **two attacker-controlled conditions** must be met:\n- **Control over the regex input** passed into `listNames(String regex)`.\n  - _Example:_ An attacker supplies a malicious pattern like `(.*a){10000}`.\n- **Control or influence over the file/resource names** being matched.\n  - _Example:_ Filenames such as `\"aaaa...!\"` that induce regex engine backtracking.\n\nIf both conditions are satisfied, a malicious actor can cause **significant CPU consumption** due to regex backtracking — even\nwith polynomial patterns. Since both inputs can be controlled via a publicly accessible method or external filesystem handling,\nthe `listNames(String regex)` method is considered vulnerable to polynomial **REDoS**.\n\nUnlike classic _catastrophic exponential_ ReDoS, this subtle attack exploits a greedy `.*` prefix followed by a fixed suffix, repeated multiple times.  \nWhen applied to long filenames that almost match the pattern, the regex engine performs extensive backtracking, degrading performance predictably with input size. In a multi-tenant environment, an attacker can degrade the performance - and thereby the availability - of the server to an extent that it affects other users of the application. This can for example be useful if an attacker wants to delay other users in a scenario where a time advantage can be a competitive advantage.  \nA tricky part in this is that the attacker needs to control both the pattern and the input which may not always be the case.\n\n#### Am I impacted?\nYou are vulnerable if you make direct calls to the `listNames(String regex)` method on a class implementing the `ReadOnlyDataSource` interface, don't control the regular expression used as `regex` parameter, and if this datasource points to an archive or directory where an untrusted user may edit the filenames.\nFor instance, this could be the case if you want to list the files made available by a datasource which names respect a user-provided regular expression.\nNote that only direct calls to this method are concerned. There are several usages of this method in powsybl, but the provided regular expressions are all hardcoded and therefore cannot be provided by a malicious user.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.powsybl:powsybl-commons"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.7.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.7.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/powsybl/powsybl-core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-06-19T16:19:33Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2025/06/GHSA-9x53-gr7p-4qf5/GHSA-9x53-gr7p-4qf5.json b/advisories/unreviewed/2025/06/GHSA-9x53-gr7p-4qf5/GHSA-9x53-gr7p-4qf5.json
