Publish Advisories

GHSA-fj2w-wfgv-mwq6
GHSA-227w-wv4j-67h4
GHSA-hfj8-63c8-rmfw
GHSA-hj55-9jmv-9jrj

Author: advisory-database[bot]

advisories/github-reviewed/2022/01/GHSA-fj2w-wfgv-mwq6/GHSA-fj2w-wfgv-mwq6.json

@@ -1,12 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fj2w-wfgv-mwq6",
-  "modified": "2022-01-24T22:05:38Z",
+  "modified": "2026-01-22T20:53:20Z",
   "published": "2022-01-21T23:21:48Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23684"
+  ],
   "summary": "Denial of service in CBOR library",
-  "details": "### Impact\nDue to this library's use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to `DecodeFromBytes` or other CBOR decoding mechanisms in this library.  \n\nAffected versions _include_ versions 4.0.0 through 4.5.0.\n\nThis vulnerability was privately reported to me.\n\n### Patches\nThis issue has been fixed in version 4.5.1.  Users should use the latest version of this library.  (The latest version is not necessarily 4.5.1.  Check the README for [this library's repository](https://github.com/peteroupc/CBOR-Java) to see the latest version's version number.)\n\n### Workarounds\n\nAgain, users should use the latest version of this library.\n\nIn the meantime, note that the inputs affected by this issue are all CBOR maps or contain CBOR maps.  An input that decodes to a single CBOR object is not capable of containing a CBOR map if—\n\n- it begins with a byte other than 0x80 through 0xDF, or\n- it does not contain a byte in the range 0xa0 through 0xBF.\n\nSuch an input is not affected by this vulnerability and an application can choose to perform this check before passing it to a CBOR decoding mechanism.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the CBOR repository](https://github.com/peteroupc/CBOR-Java).\n",
-  "severity": [],
+  "details": "### Impact\nDue to this library's use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to `DecodeFromBytes` or other CBOR decoding mechanisms in this library.  \n\nAffected versions _include_ versions 4.0.0 through 4.5.0.\n\nThis vulnerability was privately reported to me.\n\n### Patches\nThis issue has been fixed in version 4.5.1.  Users should use the latest version of this library.  (The latest version is not necessarily 4.5.1.  Check the README for [this library's repository](https://github.com/peteroupc/CBOR-Java) to see the latest version's version number.)\n\n### Workarounds\n\nAgain, users should use the latest version of this library.\n\nIn the meantime, note that the inputs affected by this issue are all CBOR maps or contain CBOR maps.  An input that decodes to a single CBOR object is not capable of containing a CBOR map if—\n\n- it begins with a byte other than 0x80 through 0xDF, or\n- it does not contain a byte in the range 0xa0 through 0xBF.\n\nSuch an input is not affected by this vulnerability and an application can choose to perform this check before passing it to a CBOR decoding mechanism.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the CBOR repository](https://github.com/peteroupc/CBOR-Java).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -33,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/peteroupc/CBOR-Java/security/advisories/GHSA-fj2w-wfgv-mwq6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23684"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/peteroupc/CBOR-Java"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-fj2w-wfgv-mwq6"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/02/GHSA-227w-wv4j-67h4/GHSA-227w-wv4j-67h4.json

@@ -1,11 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-227w-wv4j-67h4",
-  "modified": "2022-02-09T22:30:30Z",
+  "modified": "2026-01-22T20:53:41Z",
   "published": "2022-02-09T22:30:30Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23682"
+  ],
   "summary": "Class Loading Vulnerability in Artemis",
-  "details": "### Impact\nThis affects all Artemis users who test Java assignments. **Ares is not required.**\nStudents code that gets automatically tested can run arbitrary code in the container,\nor arbitrary code on the machine of an assessor in case of manual correction.\n\n### Patches\nThe problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:\n\n```xml\n<plugin>\n    <groupId>org.apache.maven.plugins</groupId>\n    <artifactId>maven-enforcer-plugin</artifactId>\n    <version>3.0.0</version>\n    <executions>\n        <execution>\n            <id>enforce-no-student-code-in-trusted-packages</id>\n            <phase>process-classes</phase>\n            <goals>\n                <goal>enforce</goal>\n            </goals>\n        </execution>\n    </executions>\n    <configuration>\n        <rules>\n            <requireFilesDontExist>\n                <files>\n                    <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING -->\n                </files>\n            </requireFilesDontExist>\n        </rules>\n    </configuration>\n</plugin>\n```\n\nThis fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion https://github.com/ls1intum/Ares/discussions\n* Open an issue in https://github.com/ls1intum/Ares/issues\n* Email us, see https://github.com/ls1intum/Ares/security/policy\n\n### References\nSee the assignment of Julius that passes the tests in TUM Artemis course: \"Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests\" (if that still exists in 2022).\n\nAlso see #15 for almost the same problem.\n",
+  "details": "### Impact\nThis affects all Artemis users who test Java assignments. **Ares is not required.**\nStudents code that gets automatically tested can run arbitrary code in the container,\nor arbitrary code on the machine of an assessor in case of manual correction.\n\n### Patches\nThe problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:\n\n```xml\n<plugin>\n    <groupId>org.apache.maven.plugins</groupId>\n    <artifactId>maven-enforcer-plugin</artifactId>\n    <version>3.0.0</version>\n    <executions>\n        <execution>\n            <id>enforce-no-student-code-in-trusted-packages</id>\n            <phase>process-classes</phase>\n            <goals>\n                <goal>enforce</goal>\n            </goals>\n        </execution>\n    </executions>\n    <configuration>\n        <rules>\n            <requireFilesDontExist>\n                <files>\n                    <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING -->\n                </files>\n            </requireFilesDontExist>\n        </rules>\n    </configuration>\n</plugin>\n```\n\nThis fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion https://github.com/ls1intum/Ares/discussions\n* Open an issue in https://github.com/ls1intum/Ares/issues\n* Email us, see https://github.com/ls1intum/Ares/security/policy\n\n### References\nSee the assignment of Julius that passes the tests in TUM Artemis course: \"Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests\" (if that still exists in 2022).\n\nAlso see #15 for almost the same problem.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -38,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/ls1intum/Ares/security/advisories/GHSA-227w-wv4j-67h4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23682"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ls1intum/Ares/issues/15"
@@ -49,6 +55,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/ls1intum/Ares/releases/tag/1.8.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-227w-wv4j-67h4"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2024/01/GHSA-hfj8-63c8-rmfw/GHSA-hfj8-63c8-rmfw.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfj8-63c8-rmfw",
-  "modified": "2025-06-20T22:17:48Z",
+  "modified": "2026-01-22T20:53:05Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23684"
-  ],
-  "summary": "Inefficient Algorithmic Complexity in com.upokecenter:cbor",
-  "details": "Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input. Depending on an application's use of this library, this may be a remote attacker.",
+  "withdrawn": "2026-01-22T20:53:05Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Inefficient Algorithmic Complexity in com.upokecenter:cbor",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36p8-mvp6-cv38. This link is maintained to preserve external references.\n\n## Original Description\nInefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input. Depending on an application's use of this library, this may be a remote attacker.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2024/01/GHSA-hj55-9jmv-9jrj/GHSA-hj55-9jmv-9jrj.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hj55-9jmv-9jrj",
-  "modified": "2025-06-20T22:18:03Z",
+  "modified": "2026-01-22T20:53:29Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23682"
-  ],
-  "summary": "Sandbox escape in Artemis Java Test Sandbox",
-  "details": "Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.",
+  "withdrawn": "2026-01-22T20:53:29Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Sandbox escape in Artemis Java Test Sandbox",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-227w-wv4j-67h4. This link is maintained to preserve external references.\n\n## Original Description\nArtemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.",
   "severity": [
     {
       "type": "CVSS_V3",