Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 37798482cb49 · 2026-02-02T16:35:03.000Z
GHSA-f4cf-9rvr-2rcx GHSA-4fqp-r85r-hxqh GHSA-xg4x-w2j3-57h6 GHSA-xjhm-gp88-8pfx
diff --git a/advisories/github-reviewed/2025/12/GHSA-f4cf-9rvr-2rcx/GHSA-f4cf-9rvr-2rcx.json b/advisories/github-reviewed/2025/12/GHSA-f4cf-9rvr-2rcx/GHSA-f4cf-9rvr-2rcx.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f4cf-9rvr-2rcx",
-  "modified": "2025-12-18T01:01:47Z",
+  "modified": "2026-02-02T16:34:14Z",
   "published": "2025-12-10T18:20:01Z",
   "aliases": [
     "CVE-2025-67717"
   ],
   "summary": "Zitadel Discloses the Total Number of Instance Users",
   "details": "### Summary\n\nZitadel's User Service discloses the total number of instance users to unauthorized users.\n\n### Impact\n\nThe ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the `totalResult` field constitutes an information disclosure vulnerability that may be sensitive in certain contexts.\n\n### Affected Versions\n\nSystems running one of the following version are affected:\n\n- **4.x**: `4.0.0-rc.1` through `4.7.1`\n- **3.x**: `3.0.0-rc.1` through `3.4.4`\n- **2.x**: `2.44.0` through `2.71.19`\n\n### Patches\n\nThe vulnerability has been addressed in the latest release. The patch resolves the issue and returns the `totalResult` value corresponding to the number of instance users for whom the querying user has read permission.\n\n- 4.x: Upgrade to >= [4.7.2](https://github.com/zitadel/zitadel/releases/tag/v4.7.2)\n- 3.x: Update to >= [3.4.5](https://github.com/zitadel/zitadel/releases/tag/v3.4.5)\n- 2.x: Update to >= [3.4.5](https://github.com/zitadel/zitadel/releases/tag/v3.4.5) (or checkout the workarounds section)\n\n### Workarounds\n\nThe recommended solution is to update Zitadel to a patched version.\n\nIf a version upgrade is not possible, you can enable the `permissionCheckV2` feature on your instance.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThis vulnerability was found by [zentrust partners GmbH](https://zentrust.partners) during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann.\nThe full report will be made public after the complete review.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
diff --git a/advisories/github-reviewed/2026/01/GHSA-4fqp-r85r-hxqh/GHSA-4fqp-r85r-hxqh.json b/advisories/github-reviewed/2026/01/GHSA-4fqp-r85r-hxqh/GHSA-4fqp-r85r-hxqh.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4fqp-r85r-hxqh",
-  "modified": "2026-01-22T15:40:13Z",
+  "modified": "2026-02-02T16:33:53Z",
   "published": "2026-01-21T22:19:29Z",
   "aliases": [
     "CVE-2026-23986"
   ],
   "summary": "Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true ",
   "details": "### Impact\n\nCopier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedocs.io/en/stable/configuring/#unsafe) features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with [`_preserve_symlinks: true`](https://copier.readthedocs.io/en/stable/configuring/#preserve_symlinks) and a [generated directory structure](https://copier.readthedocs.io/en/stable/configuring/#generating-a-directory-structure) whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc.\n\n> [!NOTE]\n>\n> At the time of writing, the exploit is non-deterministic, as Copier walks the template's file tree using [`os.scandir`](https://docs.python.org/3/library/os.html#os.scandir) which yields directory entries in arbitrary order.\n\nReproducible example (may or may not work depending on directory entry yield order):\n\n```shell\nmkdir other/\npushd other/\necho \"sensitive\" > sensitive.txt\npopd\n\nmkdir src/\npushd src/\nln -s ../other other\necho \"overwritten\" > \"{{ pathjoin('other', 'sensitive.txt') }}.jinja\"\necho \"_preserve_symlinks: true\" > copier.yml\ntree .\n# .\n# ├── copier.yml\n# ├── other -> ../other\n# └── {{ pathjoin('other', 'sensitive.txt') }}.jinja\n#\n# 1 directory, 2 files\npopd\n\nuvx copier copy --overwrite src/ dst/\n\ncat other/sensitive.txt\n# overwritten\n```\n\n### Patches\n\nn/a\n\n### Workarounds\n\nn/a\n\n### References\n\nn/a",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"
diff --git a/advisories/github-reviewed/2026/01/GHSA-xg4x-w2j3-57h6/GHSA-xg4x-w2j3-57h6.json b/advisories/github-reviewed/2026/01/GHSA-xg4x-w2j3-57h6/GHSA-xg4x-w2j3-57h6.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xg4x-w2j3-57h6",
-  "modified": "2026-01-29T03:38:50Z",
+  "modified": "2026-02-02T16:33:31Z",
   "published": "2026-01-27T18:33:50Z",
   "aliases": [
     "CVE-2026-23892"
   ],
   "summary": "OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication",
   "details": "### Impact\n\nOctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network.\n\nDue to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character.\n\n### Patches\n\nThe vulnerability will be patched in version 1.11.6.\n\n### Workaround\n\nThe likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet!\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by [Knox Liu](https://github.com/yueyueL).",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
diff --git a/advisories/github-reviewed/2026/01/GHSA-xjhm-gp88-8pfx/GHSA-xjhm-gp88-8pfx.json b/advisories/github-reviewed/2026/01/GHSA-xjhm-gp88-8pfx/GHSA-xjhm-gp88-8pfx.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xjhm-gp88-8pfx",
-  "modified": "2026-01-22T15:40:06Z",
+  "modified": "2026-02-02T16:33:40Z",
   "published": "2026-01-21T22:08:48Z",
   "aliases": [
     "CVE-2026-23968"
   ],
   "summary": "Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false",
   "details": "### Impact\n\nCopier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedocs.io/en/stable/configuring/#unsafe) features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with [`_preserve_symlinks: false`](https://copier.readthedocs.io/en/stable/configuring/#preserve_symlinks) (which is Copier's default setting). \n\nImagine, e.g., a malicious template author who creates a template that reads SSH keys or other secrets from well-known locations and hopes for a user to push the generated project to a public location like [github.com](https://github.com/) where the template author can extract the secrets.\n\nReproducible example:\n\n- Illegally include a file in the generated project via symlink resolution:\n\n    ```shell\n    echo \"s3cr3t\" > secret.txt\n\n    mkdir src/\n    pushd src/\n    ln -s ../secret.txt stolen-secret.txt\n    popd\n\n    uvx copier copy src/ dst/\n\n    cat dst/stolen-secret.txt\n    #s3cr3t\n    ```\n\n- Illegally include a directory in the generated project via symlink resolution:\n\n    ```shell\n    mkdir secrets/\n    pushd secrets/\n    echo \"s3cr3t\" > secret.txt\n    popd\n\n    mkdir src/\n    pushd src/\n    ln -s ../secrets stolen-secrets\n    popd\n\n    uvx copier copy src/ dst/\n\n    tree dst/\n    # dst/\n    # └── stolen-secrets\n    #     └── secret.txt\n    #\n    # 1 directory, 1 file\n    cat dst/stolen-secrets/secret.txt\n    # s3cr3t\n    ```\n\n### Patches\n\nn/a\n\n### Workarounds\n\nn/a\n\n### References\n\nn/a",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
