GHSA SYNC: 2 brand new advisories

Author: jasnow

gems/camaleon_cms/CVE-2026-1776.yml

@@ -0,0 +1,34 @@
+---
+gem: camaleon_cms
+cve: 2026-1776
+ghsa: jw5g-f64p-6x78
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776
+title: Camaleon CMS vulnerable to Path Traversal through
+  AWS S3 uploader implementation
+date: 2026-03-10
+description: |
+  Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e,
+  contain a path traversal vulnerability in the AWS S3 uploader
+  implementation that allows authenticated users to read arbitrary
+  files from the web server’s filesystem. The issue occurs in the
+  download_private_file functionality when the application is
+  configured to use the CamaleonCmsAwsUploader backend. Unlike the
+  local uploader implementation, the AWS uploader does not validate
+  file paths with valid_folder_path?, allowing directory traversal
+  sequences to be supplied via the file parameter. As a result, any
+  authenticated user, including low-privileged registered users, can
+  access sensitive files such as /etc/passwd. This issue represents a
+  bypass of the incomplete fix for CVE-2024-46987 and affects
+  deployments using the AWS S3 storage backend.
+cvss_v4: 6.0
+unaffected_versions:
+  - "< 2.4.5.0"
+notes: 'Never patched; last release was 2.9.1'
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1776
+    - https://github.com/owen2345/camaleon-cms/pull/1127
+    - https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af
+    - https://camaleon.website
+    - https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read
+    - https://github.com/advisories/GHSA-jw5g-f64p-6x78

gems/sigstore/CVE-2026-31830.yml

@@ -0,0 +1,56 @@
+---
+gem: sigstore
+cve: 2026-31830
+ghsa: mhg6-2q2v-9h2c
+url: https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c
+title: sigstore-ruby verifier returns success for DSSE bundles
+  with mismatched in-toto subject digest
+date: 2026-03-11
+description: |
+  ### Summary
+
+  `Sigstore::Verifier#verify` does not propagate the `VerificationFailure`
+  returned by `verify_in_toto` when the artifact digest does not match
+  the digest in the in-toto attestation subject. As a result, verification
+  of DSSE bundles containing in-toto statements returns `VerificationSuccess`
+  regardless of whether the artifact matches the attested subject.
+
+  ### Details
+
+  In `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto`
+  (line 176) without capturing or checking its return value:
+
+  `verify_in_toto(input, in_toto)`
+
+  When `verify_in_toto` detects a digest mismatch, it returns a
+  `VerificationFailure` object. Because the caller discards this
+  return value, execution unconditionally falls through to return
+  `VerificationSuccess`. This is the only verification sub-check in
+  the method (out of 12) whose failure is not propagated.
+
+  The message_signature code path is not affected.
+
+  ### Impact
+
+  An attacker who possesses a valid signed DSSE bundle containing an
+  in-toto attestation for artifact A can present it as a valid attestation
+  for a different artifact B. All other verification checks (DSSE envelope
+  signature, certificate chain, Rekor inclusion, SCTs, policy) pass because
+  they are independent of the artifact content. Only the in-toto subject
+  digest check detects the mismatch, and its result is discarded.
+
+  This allows an attacker to bypass artifact-to-attestation binding for
+  any consumer that relies on `Sigstore::Verifier#verify` to validate
+  DSSE/in-toto bundles.
+
+  ### Workarounds
+
+  None. Consumers cannot work around this without patching the library.
+cvss_v3: 7.5
+patched_versions:
+  - ">= 0.2.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-31830
+    - https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c
+    - https://github.com/advisories/GHSA-mhg6-2q2v-9h2c