Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 27d11af7ccad · 2026-02-03T17:39:08.000Z
GHSA-j8fq-86c5-5v2r GHSA-5vjc-qx43-r747 GHSA-chr6-386q-4m3v GHSA-hwqr-f3v9-hwxr GHSA-46j5-6fg5-4gv3 GHSA-rcmh-qjqh-p98v GHSA-r54g-49rx-98cr
diff --git a/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json b/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j8fq-86c5-5v2r",
-  "modified": "2024-09-16T13:56:48Z",
+  "modified": "2026-02-03T17:37:28Z",
   "published": "2021-10-27T18:53:48Z",
-  "aliases": [
-    "CVE-2021-42343"
-  ],
-  "summary": "Remote code execution in dask",
-  "details": "An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
+  "withdrawn": "2026-02-03T17:37:27Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Remote code execution in dask",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hwqr-f3v9-hwxr. This link is maintained to preserve external references.\n\n## Original Description\nAn issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2022/03/GHSA-5vjc-qx43-r747/GHSA-5vjc-qx43-r747.json b/advisories/github-reviewed/2022/03/GHSA-5vjc-qx43-r747/GHSA-5vjc-qx43-r747.json
@@ -1,12 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5vjc-qx43-r747",
-  "modified": "2022-03-18T23:57:52Z",
+  "modified": "2026-02-03T17:38:19Z",
   "published": "2022-03-18T23:57:52Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2022-27200"
+  ],
   "summary": "Stored Cross-site Scripting in folder-auth plugin",
   "details": "Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.\n\nFolder-based Authorization Strategy Plugin 1.4 escapes the names of roles shown on the configuration form.\n\nSee https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2646",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -33,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/jenkinsci/folder-auth-plugin/security/advisories/GHSA-5vjc-qx43-r747"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27200"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/jenkinsci/folder-auth-plugin/commit/085df580c22902820ebba77b1201fabff098efc4"
@@ -44,6 +55,10 @@
     {
       "type": "WEB",
       "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2646"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2022/03/GHSA-chr6-386q-4m3v/GHSA-chr6-386q-4m3v.json b/advisories/github-reviewed/2022/03/GHSA-chr6-386q-4m3v/GHSA-chr6-386q-4m3v.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-chr6-386q-4m3v",
-  "modified": "2022-11-30T20:28:46Z",
+  "modified": "2026-02-03T17:38:15Z",
   "published": "2022-03-16T00:00:44Z",
-  "aliases": [
-    "CVE-2022-27200"
-  ],
-  "summary": "Stored Cross-site Scripting vulnerability in Jenkins Folder-based Authorization Strategy Plugin",
-  "details": "Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.",
+  "withdrawn": "2026-02-03T17:38:15Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Stored Cross-site Scripting vulnerability in Jenkins Folder-based Authorization Strategy Plugin",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5vjc-qx43-r747. This link is maintained to preserve external references.\n\n## Original Description\nJenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json b/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hwqr-f3v9-hwxr",
-  "modified": "2024-09-16T13:56:39Z",
+  "modified": "2026-02-03T17:37:34Z",
   "published": "2022-07-15T21:56:08Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2021-42343"
+  ],
   "summary": "Workers for local Dask clusters mistakenly listened on public interfaces",
   "details": "Versions of `distributed` earlier than `2021.10.0` had a potential security vulnerability relating to single-machine Dask clusters.\n\nClusters started with `dask.distributed.LocalCluster` or `dask.distributed.Client()` (which defaults to using `LocalCluster`) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on `localhost`. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than `LocalCluster` (e.g. `dask_kubernetes.KubeCluster`) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version `2021.10.0` (PR #5427).",
   "severity": [
@@ -42,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42343"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/dask/distributed/pull/5427"
@@ -54,10 +60,6 @@
       "type": "WEB",
       "url": "https://docs.dask.org/en/latest/changelog.html"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
-    },
     {
       "type": "WEB",
       "url": "https://github.com/dask/dask/tags"
diff --git a/advisories/github-reviewed/2025/12/GHSA-46j5-6fg5-4gv3/GHSA-46j5-6fg5-4gv3.json b/advisories/github-reviewed/2025/12/GHSA-46j5-6fg5-4gv3/GHSA-46j5-6fg5-4gv3.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-46j5-6fg5-4gv3",
-  "modified": "2025-12-18T22:43:39Z",
+  "modified": "2026-02-03T17:37:53Z",
   "published": "2025-12-18T09:30:30Z",
-  "aliases": [
-    "CVE-2025-14874"
-  ],
-  "summary": "Nodemailer is vulnerable to DoS through Uncontrolled Recursion",
-  "details": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.",
+  "withdrawn": "2026-02-03T17:37:53Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rcmh-qjqh-p98v. This link is maintained to preserve external references.\n\n## Original Description\nA flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2025/12/GHSA-rcmh-qjqh-p98v/GHSA-rcmh-qjqh-p98v.json b/advisories/github-reviewed/2025/12/GHSA-rcmh-qjqh-p98v/GHSA-rcmh-qjqh-p98v.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rcmh-qjqh-p98v",
-  "modified": "2025-12-01T20:44:25Z",
+  "modified": "2026-02-03T17:37:59Z",
   "published": "2025-12-01T20:44:25Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2025-14874"
+  ],
   "summary": "Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",
   "details": "### Summary\nA DoS can occur that immediately halts the system due to the use of an unsafe function.\n\n### Details\nAccording to **RFC 5322**, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list.\nHowever, the code implemented for this flattening process can be exploited by malicious input and triggers DoS\n\nRFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group.\nAt the following location in lib/addressparser/index.js:\n\nhttps://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90\n\nthere is code that performs this flattening. The issue occurs when the email address parser attempts to process the following kind of malicious address header:\n\n```g0: g1: g2: g3: ... gN: victim@example.com;```\n\nBecause no recursion depth limit is enforced, the parser repeatedly invokes itself in the pattern\n`addressparser → _handleAddress → addressparser → ...`\nfor each nested group. As a result, when an attacker sends a header containing many colons, Nodemailer enters infinite recursion, eventually throwing Maximum call stack size exceeded and causing the process to terminate immediately. Due to the structure of this behavior, no authentication is required, and a single request is enough to shut down the service.\n\nThe problematic code section is as follows:\n```js\nif (isGroup) {\n    ...\n    if (data.group.length) {\n        let parsedGroup = addressparser(data.group.join(',')); // <- boom!\n        parsedGroup.forEach(member => {\n            if (member.group) {\n                groupMembers = groupMembers.concat(member.group);\n            } else {\n                groupMembers.push(member);\n            }\n        });\n    }\n}\n```\n`data.group` is expected to contain members separated by commas, but in the attacker’s payload the group contains colon `(:)` tokens. Because of this, the parser repeatedly triggers recursive calls for each colon, proportional to their number.\n\n### PoC\n\n```\nconst nodemailer = require('nodemailer');\n\nfunction buildDeepGroup(depth) {\n  let parts = [];\n  for (let i = 0; i < depth; i++) {\n    parts.push(`g${i}:`);\n  }\n  return parts.join(' ') + ' user@example.com;';\n}\n\nconst DEPTH = 3000; // <- control depth \nconst toHeader = buildDeepGroup(DEPTH);\nconsole.log('to header length:', toHeader.length);\n\nconst transporter = nodemailer.createTransport({\n  streamTransport: true,\n  buffer: true,\n  newline: 'unix'\n});\n\nconsole.log('parsing start');\n\ntransporter.sendMail(\n  {\n    from: 'test@example.com',\n    to: toHeader,\n    subject: 'test',\n    text: 'test'\n  },\n  (err, info) => {\n    if (err) {\n      console.error('error:', err);\n    } else {\n      console.log('finished :', info && info.envelope);\n    }\n  }\n);\n```\nAs a result, when the colon is repeated beyond a certain threshold, the Node.js process terminates immediately.\n\n### Impact\nThe attacker can achieve the following:\n\n1. Force an immediate crash of any server/service that uses Nodemailer\n2. Kill the backend process with a single web request\n3. In environments using PM2/Forever, trigger a continuous restart loop, causing severe resource exhaustion”",
   "severity": [
@@ -41,10 +43,22 @@
       "type": "WEB",
       "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14874"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-14874"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nodemailer/nodemailer"
diff --git a/advisories/github-reviewed/2026/02/GHSA-r54g-49rx-98cr/GHSA-r54g-49rx-98cr.json b/advisories/github-reviewed/2026/02/GHSA-r54g-49rx-98cr/GHSA-r54g-49rx-98cr.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r54g-49rx-98cr",
+  "modified": "2026-02-03T17:37:33Z",
+  "published": "2026-02-03T17:37:33Z",
+  "aliases": [
+    "CVE-2026-24762"
+  ],
+  "summary": "RustFS Logs Sensitive Credentials in Plaintext",
+  "details": "### Summary\nRustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This vulnerability is classified as an information disclosure issue (CWE-532).\n\n### Details\nThe server writes newly generated STS credential information including the access key, secret key, and session token to logs. The following excerpts from application logs demonstrate this:\n\n```\n[2026-01-17 09:13:23.127767 +11:00] INFO [rustfs::admin::handlers::sts] [rustfs/src/admin/handlers/sts.rs:138] [rustfs-worker:ThreadId(4)] AssumeRole get new_cred Credentials { access_key: \"5UGH6TM44IPA81AH1WZE\", secret_key: \"3BQ-KnO_iB5ovmd5SU4wIK6sFfaPTliftvQ_iNLS\", session_token: \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJleHAiOjE3Njg2NDQ4MDMsInBhcmVudCI6InJ1c3Rmc2FkbWluIn0.F9ZhARXyU0cB6QoFMElKK5tns_RFQM9WlpMiGVuuDOpOfNrbEKE_9IK1oaJ_yqDsBlK115uYOcQcGohjgUPhOQ\", expiration: Some(2026-01-17 10:13:23.0 +00:00:00), status: \"on\", parent_user: \"rustfsadmin\", groups: None, claims: None, name: None, description: None }\n```\nBy inspecting logs, an attacker or unauthorized internal user with access to logs could retrieve these credentials and use them to authenticate to RustFS services or perform other unauthorized actions.\n\n### Impact\n- Information Exposure: Plaintext authentication credentials appear in log files that may be retained, backed up, or forwarded to centralized logging systems.\n- Credential Compromise: Access keys, secret keys, and session tokens may be used by unauthorized individuals to authenticate to RustFS services or hijack sessions.\n- Insider Threat: Even users with limited access who can read logs may gain elevated access if they retrieve credential material.\n- Compliance Risk: Logging sensitive authentication material may violate organizational policies and industry compliance standards (e.g., PCI-DSS, SOC2, ISO 27001) that forbid exposure of authentication secrets in logs\n\n### Remediation\n- Do not include secrets in log output — redact secret_key, session_token, and similar fields.\n- Log only safe identifiers such as non-sensitive IDs (e.g., parent_user, trace ID).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustfs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0-alpha.13"
+            },
+            {
+              "fixed": "1.0.0-alpha.82"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.0.0-alpha.81"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rustfs/rustfs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-03T17:37:33Z",
+    "nvd_published_at": null
+  }
+}
