Publish Advisories

GHSA-56p5-8mhr-2fph
GHSA-78cg-fc6c-w44w
GHSA-9m3c-qcxr-9x87
GHSA-gcvm-c75m-h4p4
GHSA-jx2w-vp7f-456q
GHSA-mx42-j6wv-px98
GHSA-wqxq-w68r-wg85
GHSA-xvqc-pp94-fmpx

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-56p5-8mhr-2fph/GHSA-56p5-8mhr-2fph.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-56p5-8mhr-2fph",
-  "modified": "2026-04-09T14:28:22Z",
+  "modified": "2026-04-10T21:34:31Z",
   "published": "2026-04-08T15:03:47Z",
   "aliases": [
     "CVE-2026-35525"
   ],
   "summary": "LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates",
   "details": "### Summary\n\nLiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.\n\n### Details\n\nFor `{% include %}`, `{% render %}`, and `{% layout %}`, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.\n\nBecause of that, a file like `partials/link.liquid` passes the directory containment check as long as its pathname is under the allowed root. If `link.liquid` is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.\n\nSo the restriction is applied to the path string that was requested, not to the file that is actually read.\n\nThis matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.\n\n### PoC\n\n```js\nconst { Liquid } = require('liquidjs');\nconst fs = require('fs');\n\nfs.rmSync('/tmp/liquid-root', { recursive: true, force: true });\nfs.mkdirSync('/tmp/liquid-root', { recursive: true });\n\nfs.writeFileSync('/tmp/secret-outside.liquid', 'SECRET_OUTSIDE');\nfs.symlinkSync('/tmp/secret-outside.liquid', '/tmp/liquid-root/link.liquid');\n\nconst engine = new Liquid({ root: ['/tmp/liquid-root'] });\n\nengine.parseAndRender('{% render \"link.liquid\" %}')\n  .then(console.log);\n// SECRET_OUTSIDE\n```\n\n### Impact\n\nIf an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-78cg-fc6c-w44w/GHSA-78cg-fc6c-w44w.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-78cg-fc6c-w44w",
-  "modified": "2026-04-10T21:24:13Z",
+  "modified": "2026-04-10T21:35:08Z",
   "published": "2026-04-09T18:31:26Z",
   "aliases": [
     "CVE-2026-33005"
   ],
   "summary": "Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability",
   "details": "Sny registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.\n\nThis issue affects Apache OpenMeetings: from 3.10 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-9m3c-qcxr-9x87/GHSA-9m3c-qcxr-9x87.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9m3c-qcxr-9x87",
-  "modified": "2026-04-10T21:25:28Z",
+  "modified": "2026-04-10T21:36:30Z",
   "published": "2026-04-09T21:31:29Z",
   "aliases": [
     "CVE-2026-25854"
   ],
   "summary": "Apache Tomcat has an Open Redirect vulnerability",
   "details": "Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"
@@ -25,7 +29,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "9.0.0.M23"
+              "introduced": "8.5.30"
             },
             {
               "fixed": "9.0.116"
@@ -82,7 +86,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "9.0.0.M23"
+              "introduced": "8.5.30"
             },
             {
               "fixed": "9.0.116"
@@ -139,7 +143,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "9.0.0.M23"
+              "introduced": "8.5.30"
             },
             {
               "fixed": "9.0.116"

advisories/github-reviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gcvm-c75m-h4p4",
-  "modified": "2026-04-10T21:24:43Z",
+  "modified": "2026-04-10T21:35:15Z",
   "published": "2026-04-09T18:31:27Z",
   "aliases": [
     "CVE-2026-34020"
   ],
   "summary": "Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings ",
   "details": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-jx2w-vp7f-456q/GHSA-jx2w-vp7f-456q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jx2w-vp7f-456q",
-  "modified": "2026-04-10T19:33:44Z",
+  "modified": "2026-04-10T21:36:53Z",
   "published": "2026-04-08T19:14:32Z",
   "aliases": [
     "CVE-2026-40180"
@@ -43,6 +43,18 @@
       "type": "WEB",
       "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40180"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/quarkiverse/quarkus-openapi-generator"
@@ -55,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:14:32Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T20:16:23Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-mx42-j6wv-px98/GHSA-mx42-j6wv-px98.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mx42-j6wv-px98",
-  "modified": "2026-04-08T00:15:50Z",
+  "modified": "2026-04-10T21:33:31Z",
   "published": "2026-04-08T00:15:50Z",
   "aliases": [
     "CVE-2026-39360"
   ],
   "summary": "RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration",
   "details": "RustFS contains a missing authorization check in the multipart copy path (`UploadPartCopy`). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload.\n\nThis breaks tenant isolation in multi-user / multi-tenant deployments.\n\n## Impact\n**Unauthorized cross-bucket / cross-tenant data exfiltration (Confidentiality: High).**\n\nAn attacker with only minimal permissions on their own bucket (multipart upload + Put/Get on destination objects) can copy and retrieve objects from a victim bucket **without** having `s3:GetObject` (or equivalent) permission on the source.\n\nIn the attached PoC, the attacker successfully exfiltrates a 5MB private object and proves integrity via matching SHA256 and size.\n\n## Threat Model (Realistic)\n- **Victim tenant/user** owns a bucket (e.g., `victim-bucket-*`) and stores private objects (e.g., `private/finance_dump.bin`).\n- **Attacker tenant/user** has **no permissions** on the victim bucket:\n  - cannot `ListObjects`, `HeadObject`, `GetObject`, or `CopyObject` from the victim bucket.\n- Attacker has **minimal permissions only on attacker bucket**:\n  - `CreateMultipartUpload`, `UploadPart`, `UploadPartCopy`, `CompleteMultipartUpload`, `AbortMultipartUpload`,\n  - and `PutObject`/`GetObject` for objects in attacker bucket.\n- Despite this, attacker can exfiltrate victim objects via multipart copy.\n\n## Root Cause Analysis\nThe access control layer fails open for multipart copy-related operations:\n\nFile: `rustfs/src/storage/access.rs`\n- `abort_multipart_upload()` returns `Ok(())` without authorization (L435–437)\n- `complete_multipart_upload()` returns `Ok(())` without authorization (L442–444)\n- `upload_part_copy()` returns `Ok(())` without authorization (L1446–1448)\n\nIn contrast, `copy_object()` correctly enforces authorization:\n- source `GetObject` authorization (L469)\n- destination `PutObject` authorization (L478)\n\nThe multipart copy implementation reads the source object directly:\n\nFile: `rustfs/src/app/multipart_usecase.rs`\n- `store.get_object_reader(&src_bucket, &src_key, ...)` (L959–962)\n\nBecause `upload_part_copy()` does not enforce source `GetObject` authorization, the server reads and copies victim data even when the requester lacks permission.\n\n## Affected Versions\n- **Tested vulnerable on:** `main` @ `c1d5106acc3480c275a52344df84633bb6dcd8f0`\n- **Git describe:** `1.0.0-alpha.86-3-gc1d5106a`\n\nThe fail-open authorization behavior for `UploadPartCopy` was introduced in:\n- **Commit:** `09ea11c13` (per `git blame` on `rustfs/src/storage/access.rs:1443-1448`)\n\n**Affected range (recommended wording):**\n- All versions **from** commit `09ea11c13` **through** `c1d5106acc3480c275a52344df84633bb6dcd8f0` (and likely any releases containing those commits) until a fix is applied.\n\n### Package version (Cargo metadata)\n- `rustfs` crate version in this tree: **0.0.5** (`cargo metadata`)\n\n## Proof of Concept (PoC) – Real Commands + Verified Results\n\n### Files\nPlace the PoC script at the repository root:\n\n- **PoC script:** [`poc_uploadpartcopy_exfil_v3.sh`](https://github.com/user-attachments/files/26006935/poc_uploadpartcopy_exfil_v3.sh)\n- **Captured output:** [`poc_v3_output.txt`](https://github.com/user-attachments/files/26006938/poc_v3_output.txt)\n- *(Optional)* **Redacted debug log:** `upload_part_copy_debug_redacted.log` (Authorization/signature redacted)\n\n### Environment \nRustFS running locally (Docker is simplest), listening on:\n\n- `http://127.0.0.1:9000`\n\nTools:\n- `awscli`, `jq`, `awscurl`\n\n### Steps to Reproduce\n1) Start RustFS (example):\n\n```bash\ndocker compose -f docker-compose-simple.yml up -d\n````\n\n2. Run the PoC and save output:\n\n```bash\nchmod +x poc_uploadpartcopy_exfil_v3.sh\n./poc_uploadpartcopy_exfil_v3.sh | tee poc_v3_output.txt\n```\n\n### Attachments\n\n* [`poc_uploadpartcopy_exfil_v3.sh`](https://github.com/user-attachments/files/26006950/poc_uploadpartcopy_exfil_v3.sh)\n* [`poc_v3_output.txt`](https://github.com/user-attachments/files/26006953/poc_v3_output.txt)\n\n\n### Expected Behavior\n\n* Attacker operations against victim bucket should be denied:\n\n  * `ListObjects` -> AccessDenied\n  * `HeadObject` -> AccessDenied\n  * `GetObject` -> AccessDenied\n  * `CopyObject` -> AccessDenied\n* `UploadPartCopy` from victim -> attacker multipart should also be denied.\n\n### Actual Behavior\n\n* All direct operations against victim are denied (as expected),\n* but **`UploadPartCopy` succeeds**, and attacker retrieves the copied object from attacker bucket.\n\n### Observed PoC Output \n\nVictim uploads a private object:\n\n* size: `5,242,880` bytes\n* sha256: `fda018db1da9d8f4c1b287c75943384a3b4ede391ec156039b6d94e17d6ad68f`\n\nAttacker exfiltrates it via multipart copy:\n\n* stolen size: `5,242,880` bytes\n* stolen sha256: `fda018db1da9d8f4c1b287c75943384a3b4ede391ec156039b6d94e17d6ad68f`\n\nProof:\n\n* hashes and sizes match (victim == stolen) -> unauthorized cross-bucket read confirmed.\n\n## Network Evidence (Redacted)\n\nThe debug log shows a successful request with:\n\n* HTTP method: `PUT`\n* destination: `/<attacker-bucket>/<dst-key>?partNumber=1&uploadId=...`\n* header: `x-amz-copy-source: <victim-bucket>/private/finance_dump.bin`\n* response: `HTTP/1.1 200` with `<CopyPartResult><ETag>...</ETag>...</CopyPartResult>`\n\n\n## Fix\n\nImplement authorization checks equivalent to `copy_object()` for multipart copy paths:\n\n* `upload_part_copy`:\n\n  * enforce **source** `GetObject` authorization on `x-amz-copy-source`\n  * enforce **destination** `PutObject` authorization on the target object\n  * (recommended) apply the same tag-condition enforcement used by `copy_object()` on the source.\n\n* `complete_multipart_upload`:\n\n  * enforce destination `PutObject` authorization\n\n* `abort_multipart_upload`:\n\n  * enforce appropriate multipart permission (or destination `PutObject` as a safe boundary)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-wqxq-w68r-wg85/GHSA-wqxq-w68r-wg85.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wqxq-w68r-wg85",
-  "modified": "2026-04-10T21:23:53Z",
+  "modified": "2026-04-10T21:34:59Z",
   "published": "2026-04-09T18:31:26Z",
   "aliases": [
     "CVE-2026-33266"
   ],
   "summary": "Apache OpenMeetings Uses Hard-coded Cryptographic Key",
   "details": "Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.\n\nThe remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.\n\n\nThis issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-xvqc-pp94-fmpx/GHSA-xvqc-pp94-fmpx.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xvqc-pp94-fmpx",
-  "modified": "2026-04-10T14:11:25Z",
+  "modified": "2026-04-10T21:35:56Z",
   "published": "2026-04-09T18:31:27Z",
   "aliases": [
     "CVE-2026-40046"
   ],
   "summary": "Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT vulnerable to Integer Overflow or Wraparound",
-  "details": "The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.",
+  "details": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.",
   "severity": [
     {
       "type": "CVSS_V3",