Publish Advisories

GHSA-4xf9-pgvv-xx67
GHSA-gpvj-gp8c-c7p2
GHSA-mhpq-9638-x6pw
GHSA-gjx9-j8f8-7j74

Author: advisory-database[bot]

advisories/github-reviewed/2020/09/GHSA-4xf9-pgvv-xx67/GHSA-4xf9-pgvv-xx67.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4xf9-pgvv-xx67",
-  "modified": "2021-09-29T18:16:33Z",
+  "modified": "2026-02-03T17:52:55Z",
   "published": "2020-09-03T20:27:46Z",
+  "withdrawn": "2026-02-03T17:52:55Z",
   "aliases": [],
-  "summary": "Regular Expression Denial of Service in simple-markdown",
-  "details": "Versions of `simple-markdown` prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The `SimpleMarkdown.defaultInlineParse()` function has significantly degraded performance when parsing inline code blocks.\n\n\n## Recommendation\n\nUpgrade to version 0.5.2 or later.",
+  "summary": "Duplicate Advisory: Regular Expression Denial of Service in simple-markdown",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gpvj-gp8c-c7p2. This link is maintained to preserve external references.\n\n## Original Description\n\nVersions of `simple-markdown` prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The `SimpleMarkdown.defaultInlineParse()` function has significantly degraded performance when parsing inline code blocks.\n\n\n## Recommendation\n\nUpgrade to version 0.5.2 or later.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2023/02/GHSA-gpvj-gp8c-c7p2/GHSA-gpvj-gp8c-c7p2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gpvj-gp8c-c7p2",
-  "modified": "2023-02-24T16:01:14Z",
+  "modified": "2026-02-03T17:53:00Z",
   "published": "2023-02-12T15:30:24Z",
   "aliases": [
     "CVE-2019-25103"
@@ -40,6 +40,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25103"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Khan/simple-markdown/issues/71"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816"
@@ -52,6 +56,10 @@
       "type": "WEB",
       "url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.5.2"
     },
+    {
+      "type": "WEB",
+      "url": "https://snyk.io/vuln/SNYK-JS-SIMPLEMARKDOWN-460540"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.220639"

advisories/github-reviewed/2023/12/GHSA-mhpq-9638-x6pw/GHSA-mhpq-9638-x6pw.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mhpq-9638-x6pw",
-  "modified": "2024-07-05T21:36:26Z",
+  "modified": "2026-02-03T17:53:34Z",
   "published": "2023-12-20T20:31:57Z",
+  "withdrawn": "2026-02-03T17:53:34Z",
   "aliases": [],
-  "summary": "Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go",
-  "details": "An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service. ",
+  "summary": "Duplicate Advisory: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6294-6rgp-fr7r. This link is maintained to preserve external references.\n\n## Original Description\n\nAn attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/02/GHSA-gjx9-j8f8-7j74/GHSA-gjx9-j8f8-7j74.json

@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gjx9-j8f8-7j74",
+  "modified": "2026-02-03T17:52:55Z",
+  "published": "2026-02-03T17:52:55Z",
+  "aliases": [
+    "CVE-2026-25526"
+  ],
+  "summary": "JinJava Bypass through ForTag leads to Arbitrary Java Execution",
+  "details": "## Impact\n\n**Vulnerability Type**: Sandbox Bypass / Remote Code Execution\n\n**Affected Component**: Jinjava\n\n**Affected Users**:\n- Organizations using HubSpot's Jinjava template rendering engine for user-provided template content\n- Any system that renders untrusted Jinja templates using HubSpot's Jinjava implementation\n- Users with the ability to create or edit custom code templates\n\n**Severity**: **Critical** - allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions\n\n**Root Cause**: Multiple security bypass vulnerabilities in Jinjava's sandbox mechanism:\n\n1. **ForTag Property Access Bypass**: The `ForTag` class does not enforce `JinjavaBeanELResolver` restrictions when iterating over object properties using `Introspector.getBeanInfo()` and invoking getter methods via `PropertyDescriptor.getReadMethod()`\n\n2. **Restricted Class Instantiation**: The sandbox's type allowlist can be bypassed by using ObjectMapper to instantiate classes through JSON deserialization, including creating new `JinjavaELContext` and `JinjavaConfig` instances\n\n**Attack Vector**: An attacker with the ability to create or edit Jinja templates can:\n- Access arbitrary getter methods on objects in the template context\n- Instantiate `ObjectMapper` to enable default typing\n- Create arbitrary Java classes by bypassing type allowlists\n- Read files from the server filesystem (demonstrated with `/etc/passwd`)\n- Potentially execute arbitrary code\n\n## Patches\n\n**Status**: Patched - CVE-2026-25526\n\nUsers should upgrade to one of the following versions which contain fixes for this vulnerability:\n\n- **JinJava 2.8.3** or later\n- **JinJava 2.7.6** or later\n\n**Fix Components**:\n\n1. **ForTag Security Hardening**\n   - Added security checks to `ForTag.renderForCollection()` to enforce `JinjavaBeanELResolver` restrictions\n   - Implemented property access validation against restricted properties/methods before invoking getter methods\n   - Added checks for restricted class types before introspection\n\n2. **Enhanced Type Validation**\n   - Improved validation in `JinjavaBeanELResolver.isRestrictedClass()` to prevent instantiation of sensitive types\n   - Added additional restricted types to the denylist\n   - Implemented deeper validation for types created via ObjectMapper deserialization\n\n3. **Configuration Protection**\n   - Added checks to prevent creation of new `JinjavaConfig` or `JinjavaELContext` instances via ObjectMapper\n   - Prevented modification of `readOnlyResolver` configuration from untrusted templates\n   - Implemented additional safeguards around ELResolver configuration\n\n4. **Collection Type Validation**\n   - Implemented proper type validation in `HubLELResolver` to prevent collection type wrapping bypasses\n   - Added checks for wrapped types in collection deserialization\n   - Implemented validation for all types within collections against allowlists\n\n5. **ObjectMapper Restrictions**\n   - Added additional restrictions on `ObjectMapper.enableDefaultTyping()` to prevent enabling via less restrictive ELResolver\n   - Ensured default typing cannot be enabled without proper authorization\n\n**Information for Users**: Upgrade to version 2.8.3 or 2.7.6 or later to address this vulnerability.\n\n## References\n\n### Project Resources\n- **Jinjava Source Code**: [github.com/HubSpot/jinjava](https://github.com/HubSpot/jinjava)\n- **Jinjava Releases**: [github.com/HubSpot/jinjava/releases](https://github.com/HubSpot/jinjava/releases)\n\n### Security Standards & Classifications\n- **CWE-502**: Deserialization of Untrusted Data\n- **CWE-913**: Improper Control of Dynamically-Managed Code Resources\n- **CWE-94**: Improper Control of Generation of Code ('Code Injection')\n- **CVSS v3.1**: Common Vulnerability Scoring System\n\n### Additional Resources\n- [OWASP Template Injection](https://owasp.org/www-community/attacks/Server_Side_Template_Injection)\n- [Java Deserialization Security](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\n- [CVE Standards and Procedures](https://cve.mitre.org/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.hubspot.jinjava:jinjava"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.8.0"
+            },
+            {
+              "fixed": "2.8.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.hubspot.jinjava:jinjava"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.7.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/HubSpot/jinjava"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-03T17:52:55Z",
+    "nvd_published_at": null
+  }
+}