Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 9fce0a8a816d · 2026-03-27T19:56:49.000Z
GHSA-27qh-8cxx-2cr5 GHSA-m959-cc7f-wv43
diff --git a/advisories/github-reviewed/2026/03/GHSA-27qh-8cxx-2cr5/GHSA-27qh-8cxx-2cr5.json b/advisories/github-reviewed/2026/03/GHSA-27qh-8cxx-2cr5/GHSA-27qh-8cxx-2cr5.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-27qh-8cxx-2cr5",
+  "modified": "2026-03-27T19:54:59Z",
+  "published": "2026-03-27T19:54:58Z",
+  "aliases": [],
+  "summary": "AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters",
+  "details": "### Summary\n\nThis notification is related to the [CloudFront signing utilities](https://github.com/aws/aws-sdk-php/blob/master/src/CloudFront/Signer.php) in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.\n\n### Impact\n\nThe CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application's intended access restrictions. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Applications that already follow AWS security best practices for input validation are not impacted.\n\n### Impacted versions: 3.11.7 - 3.371.3\n\n### Patches\n\nOn 3/3/2026, an enhancement was made to the AWS SDK for PHP version 3.371.4. The enhancement ensures that special characters in input values are correctly handled. It is recommended to upgrade to the latest version.\n\n### Workarounds\n\nNo workarounds are needed, but customers should ensure that the application is following security best practices:\n\n- Implement proper input validation in application code before passing values to CloudFront signing utilities\n- Update to the latest AWS SDK release on a regular basis\n- Follow AWS security best practices for SDK configuration\n\n### References\n\nFor any questions or comments about this advisory, it is recommended to contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Acknowledgement\n\nThe Amazon Inspector Security Research team is thanked for identifying this issue and working through the coordinated process.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "aws/aws-sdk-php"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.11.7"
+            },
+            {
+              "fixed": "3.371.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.371.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/aws-sdk-php/security/advisories/GHSA-27qh-8cxx-2cr5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aws/aws-sdk-php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/aws-sdk-php/blob/master/src/CloudFront/Signer.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aws/aws-sdk-php/releases/tag/3.371.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-150",
+      "CWE-20",
+      "CWE-74"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T19:54:58Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-m959-cc7f-wv43/GHSA-m959-cc7f-wv43.json b/advisories/github-reviewed/2026/03/GHSA-m959-cc7f-wv43/GHSA-m959-cc7f-wv43.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m959-cc7f-wv43",
+  "modified": "2026-03-27T19:56:21Z",
+  "published": "2026-03-27T19:56:21Z",
+  "aliases": [
+    "CVE-2026-34073"
+  ],
+  "summary": "cryptography has incomplete DNS name constraint enforcement on peer names",
+  "details": "## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go's `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "cryptography"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "46.0.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pyca/cryptography"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T19:56:21Z",
+    "nvd_published_at": null
+  }
+}
