GHSA/SYNC: 4 new and 1 renamed advisories (#1015)

Author: jasnow

gems/avo/CVE-2026-33209.yml

@@ -0,0 +1,33 @@
+---
+gem: avo
+cve: 2026-33209
+ghsa: 762r-27w2-q22j
+url: https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
+title: Avo has a XSS vulnerability on `return_to` param
+date: 2026-03-18
+description: |
+  ## Description
+
+  A reflected cross-site scripting (XSS) vulnerability exists in
+  the `return_to` query parameter used in the avo interface.
+
+  An attacker can craft a malicious URL that injects arbitrary
+  JavaScript, which is executed when he clicks a dynamically
+  generated navigation button.
+
+  ## Impact
+
+  This vulnerability may allow execution of arbitrary JavaScript
+  in the context of the application.
+
+  Impact varies depending on deployment:
+  - In unauthenticated setups: exploitable via crafted links sent to users.
+  - In authenticated setups: limited to authenticated users and
+    requires interaction.
+cvss_v4: 5.3
+patched_versions:
+  - ">= 3.30.3"
+related:
+  url:
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
+    - https://github.com/advisories/GHSA-762r-27w2-q22j

gems/devise/GHSA-57hq-95w6-v4fc.yml gems/devise/CVE-2026-32700.ymlgems/devise/GHSA-57hq-95w6-v4fc.yml renamed to gems/devise/CVE-2026-32700.yml

@@ -1,5 +1,6 @@
 ---
 gem: devise
+cve: 2026-32700
 ghsa: 57hq-95w6-v4fc
 url: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
 title: Confirmable "change email" race condition permits

gems/json/CVE-2026-33210.yml

@@ -0,0 +1,35 @@
+---
+gem: json
+cve: 2026-33210
+ghsa: 3m6g-2423-7cp3
+url: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
+title: Ruby JSON has a format string injection vulnerability
+date: 2026-03-19
+description: |
+  ### Impact
+
+  A format string injection vulnerability than that lead to denial of
+  service attacks or information disclosure, when the `allow_duplicate_key:
+  false` parsing option is used to parse user supplied documents.
+
+  This option isn't the default, if you didn't opt-in to use it,
+  you are not impacted.
+
+  ### Patches
+
+  Patched in `2.19.2`.
+
+  ### Workarounds
+
+  The issue can be avoided by not using the `allow_duplicate_key: false`
+  parsing option.
+unaffected_versions:
+  - "< 2.14.0"
+patched_versions:
+  - "~> 2.15.2.1"
+  - "~> 2.17.1.2"
+  - ">= 2.19.2"
+related:
+  url:
+    - https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
+    - https://github.com/advisories/GHSA-3m6g-2423-7cp3

gems/katello/CVE-2026-4324.yml

@@ -0,0 +1,27 @@
+---
+gem: katello
+cve: 2026-4324
+ghsa: fwj4-6wgp-mpxm
+url: https://access.redhat.com/security/cve/CVE-2026-4324
+title: Katello - Denial of Service and potential information
+  disclosure via SQL injection'
+date: 2026-03-17
+description: |
+  A flaw was found in the Katello plugin for Red Hat Satellite. This
+  vulnerability, caused by improper sanitization of user-provided
+  input, allows a remote attacker to inject arbitrary SQL commands
+  into the sort_by parameter of the /api/hosts/bootc_images API
+  endpoint. This can lead to a Denial of Service (DoS) by triggering
+  database errors, and potentially enable Boolean-based Blind SQL
+  injection, which could allow an attacker to extract sensitive
+  information from the database.
+cvss_v3: 5.4
+patched_versions:
+  - ">= 4.19.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-4324
+    - https://access.redhat.com/security/cve/CVE-2026-4324
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2448349
+    - https://github.com/Katello/katello/commit/a0a793b08d4f0a897ee985d79a687ad043f99e57
+    - https://github.com/advisories/GHSA-fwj4-6wgp-mpxm

gems/loofah/GHSA-46fp-8f5p-pf2m.yml

@@ -0,0 +1,51 @@
+---
+gem: loofah
+ghsa: 46fp-8f5p-pf2m
+url: https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
+title: Improper detection of disallowed URIs by Loofah `allowed_uri?`
+date: 2026-03-18
+description: |
+  ## Summary
+
+  `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject
+  `javascript:` URIs when the scheme is split by HTML entity-encoded
+  control characters such as `
` (carriage return), `
`
+  (line feed), or `	` (tab).
+
+  ## Details
+
+  The `allowed_uri?` method strips literal control characters before
+  decoding HTML entities. Payloads like `java
script:alert(1)`
+  survive the control character strip, then `
` is decoded to
+  a carriage return, producing `java\rscript:alert(1)`.
+
+  Note that the Loofah sanitizer's default `sanitize()` path is
+  **not affected** because Nokogiri decodes HTML entities during
+  parsing before Loofah evaluates the URI protocol. This issue only
+  affects direct callers of the `allowed_uri?` string-level helper
+  when passing HTML-encoded strings.
+
+  ## Impact
+
+  Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to
+  validate user-controlled URLs and then render approved URLs into
+  `href` or other browser-interpreted URI attributes may be
+  vulnerable to cross-site scripting (XSS).
+
+  This only affects Loofah `2.25.0`.
+
+  ## Mitigation
+
+  Upgrade to Loofah >= `2.25.1`.
+
+  ## Credit
+
+  Responsibly reported by HackOne user `@smlee`.
+unaffected_versions:
+  - "< 2.25.0"
+patched_versions:
+  - ">= 2.25.1"
+related:
+  url:
+    - https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
+    - https://github.com/advisories/GHSA-46fp-8f5p-pf2m