Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8c848ba4fca8 · 2026-03-29T15:15:26.000Z
GHSA-wp76-gg32-8258 GHSA-x27p-5f68-m644
diff --git a/advisories/github-reviewed/2026/03/GHSA-wp76-gg32-8258/GHSA-wp76-gg32-8258.json b/advisories/github-reviewed/2026/03/GHSA-wp76-gg32-8258/GHSA-wp76-gg32-8258.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wp76-gg32-8258",
+  "modified": "2026-03-29T15:14:03Z",
+  "published": "2026-03-29T15:14:03Z",
+  "aliases": [
+    "CVE-2026-34215"
+  ],
+  "summary": "Parse Server exposes auth data via verify password endpoint",
+  "details": "### Impact\n\nThe verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.\n\n### Patches\n\nThe verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.\n\n### Workarounds\n\nThere is no known workaround.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.7.0-alpha.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.63"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10323"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10324"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:14:03Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-x27p-5f68-m644/GHSA-x27p-5f68-m644.json b/advisories/github-reviewed/2026/03/GHSA-x27p-5f68-m644/GHSA-x27p-5f68-m644.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x27p-5f68-m644",
+  "modified": "2026-03-29T15:13:30Z",
+  "published": "2026-03-29T15:13:30Z",
+  "aliases": [
+    "CVE-2026-34214"
+  ],
+  "summary": "Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON",
+  "details": "### Summary\n\nIceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.\n\n### Details\n\nIceberg REST catalog typically needs access to object storage. This access can be configured in multiple different ways. When storage access is achieved by static credentials (e.g. AWS S3 access key) or vended credentials (temporary access key).\n\nQuery JSON is a query visualization and performance troubleshooting facility. It includes serialized query plan and handles for table writes or  execution of table procedures. A user that submitted a query has access to query JSON for their query. Query JSON is available from Trino UI or via `/ui/api/query/«query_id»` and `/v1/query/«query_id»` endpoints.\n\nThe storage credentials are stored in those handles when performing write operations, or table maintenance operations. They are serialized in query JSON. A user with write access to data in Iceberg connector configured to use REST Catalog with static or vended credentials can retrieve those credentials.\n\n### Impact\n\nAnyone using Iceberg REST catalog with static or vended credentials is impacted.\nThe credentials should be considered compromised. \nVended credentials are temporary in nature so they do not need to be rotated. However, underlying data could have been exposed.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.trino:trino-iceberg"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "439"
+            },
+            {
+              "fixed": "480"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/trinodb/trino"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trinodb/trino/releases/tag/480"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-212",
+      "CWE-312"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:13:30Z",
+    "nvd_published_at": null
+  }
+}
