Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2172d5c4ceb3 · 2026-01-22T20:53:18.000Z
GHSA-55xh-53m6-936r GHSA-4m5p-5w5w-3jcf GHSA-4hrp-m3f2-643j GHSA-gvc7-gjrw-hj65
diff --git a/advisories/github-reviewed/2021/06/GHSA-55xh-53m6-936r/GHSA-55xh-53m6-936r.json b/advisories/github-reviewed/2021/06/GHSA-55xh-53m6-936r/GHSA-55xh-53m6-936r.json
@@ -1,12 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-55xh-53m6-936r",
-  "modified": "2021-06-01T19:14:06Z",
+  "modified": "2026-01-22T20:52:23Z",
   "published": "2021-06-01T21:17:36Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23680"
+  ],
   "summary": "Improper Verification of Cryptographic Signature in aws-encryption-sdk-java",
-  "details": "### Impact\n\nThis advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. \n\nThis update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext.\n\nThis ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In addition to these signatures, the ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, however some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. This update introduces a new API for callers who wish to stream only unsigned messages. \n\nFor customers who process ESDK messages from untrusted sources, this update also introduces a new configuration to limit the number of Encrypted Data Keys (EDKs) that the ESDK will attempt to process per message. This configuration provides customers with a way to limit the number of AWS KMS Decrypt API calls that the ESDK will make per message. This setting will reject messages with more EDKs than the configured limit.\n\nFinally, this update adds early rejection of invalid messages with certain invalid combinations of algorithm suite and header data.\n\n### Patches\n\nFixed in versions 1.9 and 2.2. We recommend that all users upgrade to address these issues.\n\nCustomers leveraging the ESDK’s streaming features have several options to protect signature validation. One is to ensure that client code reads to the end of the stream before using released plaintext. With this release, using the new API for streaming and falling back to the non-streaming decrypt API for signed messages prevents using any plaintext from signed data before the signature is validated. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\nUsers processing ESDK messages from untrusted sources should use the new maximum encrypted data keys parameter. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\n### Workarounds\n\nNone\n\n### For more information\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\n",
-  "severity": [],
+  "details": "### Impact\n\nThis advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. \n\nThis update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext.\n\nThis ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In addition to these signatures, the ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, however some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. This update introduces a new API for callers who wish to stream only unsigned messages. \n\nFor customers who process ESDK messages from untrusted sources, this update also introduces a new configuration to limit the number of Encrypted Data Keys (EDKs) that the ESDK will attempt to process per message. This configuration provides customers with a way to limit the number of AWS KMS Decrypt API calls that the ESDK will make per message. This setting will reject messages with more EDKs than the configured limit.\n\nFinally, this update adds early rejection of invalid messages with certain invalid combinations of algorithm suite and header data.\n\n### Patches\n\nFixed in versions 1.9 and 2.2. We recommend that all users upgrade to address these issues.\n\nCustomers leveraging the ESDK’s streaming features have several options to protect signature validation. One is to ensure that client code reads to the end of the stream before using released plaintext. With this release, using the new API for streaming and falling back to the non-streaming decrypt API for signed messages prevents using any plaintext from signed data before the signature is validated. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\nUsers processing ESDK messages from untrusted sources should use the new maximum encrypted data keys parameter. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x\n\n### Workarounds\n\nNone\n\n### For more information\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs\n\nhttps://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -51,6 +58,18 @@
     {
       "type": "WEB",
       "url": "https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23680"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aws/aws-encryption-sdk-java"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2022/10/GHSA-4m5p-5w5w-3jcf/GHSA-4m5p-5w5w-3jcf.json b/advisories/github-reviewed/2022/10/GHSA-4m5p-5w5w-3jcf/GHSA-4m5p-5w5w-3jcf.json
@@ -1,12 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4m5p-5w5w-3jcf",
-  "modified": "2024-03-01T15:01:10Z",
+  "modified": "2026-01-22T20:52:01Z",
   "published": "2022-10-12T20:13:46Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23679"
+  ],
   "summary": "com.enonic.xp:lib-auth vulnerable to Session Fixation",
   "details": "### Impact\nAll id-providers using lib-auth `login` method.\n\n### Patches\nhttps://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff\nhttps://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842\nhttps://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4\n\n### Workarounds\nDon't use lib-auth for `login`. \nJava API uses low-level structures and allows to invalidate previous session before auth-info is added.\n\n### References\n\nhttps://github.com/enonic/xp/issues/9253",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -33,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23679"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/enonic/xp/issues/9253"
@@ -52,6 +63,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/enonic/xp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json b/advisories/github-reviewed/2024/01/GHSA-4hrp-m3f2-643j/GHSA-4hrp-m3f2-643j.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4hrp-m3f2-643j",
-  "modified": "2025-05-30T16:30:44Z",
+  "modified": "2026-01-22T20:51:55Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23679"
-  ],
-  "summary": "Session fixation in Enonic XP",
-  "details": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.",
+  "withdrawn": "2026-01-22T20:51:55Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Session fixation in Enonic XP",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4m5p-5w5w-3jcf. This link is maintained to preserve external references.\n\n## Original Description\nEnonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2024/01/GHSA-gvc7-gjrw-hj65/GHSA-gvc7-gjrw-hj65.json b/advisories/github-reviewed/2024/01/GHSA-gvc7-gjrw-hj65/GHSA-gvc7-gjrw-hj65.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gvc7-gjrw-hj65",
-  "modified": "2024-09-11T12:24:40Z",
+  "modified": "2026-01-22T20:52:18Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23680"
-  ],
-  "summary": "Improper Verification of Cryptographic Signature in aws-encryption-sdk-java",
-  "details": "AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures. \n\n\n",
+  "withdrawn": "2026-01-22T20:52:18Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Improper Verification of Cryptographic Signature in aws-encryption-sdk-java",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-55xh-53m6-936r. This link is maintained to preserve external references.\n\n## Original Description\nAWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.",
   "severity": [
     {
       "type": "CVSS_V3",
