Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d0683775d484 · 2026-01-13T14:59:52.000Z
GHSA-gxp5-mv27-vjcj GHSA-mw8h-g64c-rxv4 GHSA-w96v-gf22-crwp GHSA-whqx-f9j3-ch6m
diff --git a/advisories/github-reviewed/2026/01/GHSA-gxp5-mv27-vjcj/GHSA-gxp5-mv27-vjcj.json b/advisories/github-reviewed/2026/01/GHSA-gxp5-mv27-vjcj/GHSA-gxp5-mv27-vjcj.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gxp5-mv27-vjcj",
+  "modified": "2026-01-13T14:56:49Z",
+  "published": "2026-01-13T14:56:49Z",
+  "aliases": [
+    "CVE-2025-68931"
+  ],
+  "summary": "Jervis's AES CBC Mode is Without Authentication",
+  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722\n\n`AES/CBC/PKCS5Padding` lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation.\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.\n\nUnlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis.\n\nJervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web.  After asymmetric decryption and before symmetric decryption, a SHA-256 checksum is performed on the metadata and encrypted data. All encrypted data is discarded if the checksum does not match without attempting to decrypt since the encrypted data is assumed invalid.  The data stored is GitHub App authentication tokens which will expire within one hour.\n\n### Patches\n\nJervis patch will migrate from `AES/CBC/PKCS5Padding` to `AES/GCM/NoPadding`.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [Padding Oracle Attacks](https://en.wikipedia.org/wiki/Padding_oracle_attack)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "net.gleske:jervis"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/samrocketman/jervis"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287",
+      "CWE-327"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:56:49Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-mw8h-g64c-rxv4/GHSA-mw8h-g64c-rxv4.json b/advisories/github-reviewed/2026/01/GHSA-mw8h-g64c-rxv4/GHSA-mw8h-g64c-rxv4.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mw8h-g64c-rxv4",
-  "modified": "2026-01-10T00:30:30Z",
+  "modified": "2026-01-13T14:58:03Z",
   "published": "2026-01-09T21:31:35Z",
   "aliases": [
     "CVE-2025-60538"
   ],
+  "summary": "Shiori is vulnerable to authentication bypass via a brute force attack",
   "details": "A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-shiori/shiori"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.7.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://github.com/go-shiori/shiori/issues/1138"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/go-shiori/shiori"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-290"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:58:03Z",
     "nvd_published_at": "2026-01-09T21:16:13Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-w96v-gf22-crwp/GHSA-w96v-gf22-crwp.json b/advisories/github-reviewed/2026/01/GHSA-w96v-gf22-crwp/GHSA-w96v-gf22-crwp.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w96v-gf22-crwp",
+  "modified": "2026-01-13T14:57:12Z",
+  "published": "2026-01-13T14:57:12Z",
+  "aliases": [
+    "CVE-2025-68949"
+  ],
+  "summary": "n8n: Webhook Node IP Whitelist Bypass via Partial String Matching",
+  "details": "## Impact\nThe Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring.\n\nThis issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary.\n\n## Patches\nThis issue has been patched in version 2.2.0.\n\nUsers are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching.\n\n## Workarounds\nUsers unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include:\n- Adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys.\n- Avoiding short or prefix-based whitelist entries.\n- Enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.36.0"
+            },
+            {
+              "fixed": "2.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/issues/23399"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/pull/23399"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/n8n-io/n8n"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-183",
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:57:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-whqx-f9j3-ch6m/GHSA-whqx-f9j3-ch6m.json b/advisories/github-reviewed/2026/01/GHSA-whqx-f9j3-ch6m/GHSA-whqx-f9j3-ch6m.json
@@ -0,0 +1,94 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-whqx-f9j3-ch6m",
+  "modified": "2026-01-13T14:58:50Z",
+  "published": "2026-01-13T14:58:50Z",
+  "aliases": [
+    "CVE-2026-22703"
+  ],
+  "summary": "Cosign verification accepts any valid Rekor entry under certain conditions",
+  "details": "### Impact\n\nA Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event.\n\nThis vulnerability only affects users that provide a trusted root via `--trusted-root` or when fetched automatically from a TUF repository, when no trusted key material is provided via `SIGSTORE_REKOR_PUBLIC_KEY`. When using the default flag values in Cosign v3 to sign and verify (`--use-signing-config=true` and `--new-bundle-format=true` for signing, `--new-bundle-format=true` for verification), users are unaffected. Cosign v2 users are affected using the default flag values.\n\nThis issue had previously been fixed in https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388 but recent refactoring caused a regression. We have added testing to prevent a future regression.\n\n#### Steps to Reproduce\n\n```\necho blob > /tmp/blob\ncosign sign-blob -y --new-bundle-format=false --bundle /tmp/bundle.1 --use-signing-config=false /tmp/blob\ncosign sign-blob -y --new-bundle-format=false --bundle /tmp/bundle.2 --use-signing-config=false /tmp/blob\njq \".rekorBundle |= $(jq .rekorBundle /tmp/bundle.2)\" /tmp/bundle.1 > /tmp/bundle.3\ncosign verify-blob --bundle /tmp/bundle.3 --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' /tmp/blob\n```\n\n### Patches\n\nUpgrade to Cosign v2.6.2 or Cosign v3.0.4. This does not affect Cosign v1.\n\n### Workarounds\n\nYou can provide trusted key material via a set of flags under certain conditions. The simplest fix is to upgrade to the latest Cosign v2 or v3 release.\n\nNote that the example below works for `cosign verify`, `cosign verify-blob, `cosign verify-blob-attestation`, and `cosign verify-attestation`.\n\n```\nSIGSTORE_REKOR_PUBLIC_KEY=<path to Rekor pub key> cosign verify-blob --use-signing-config=false --new-bundle-format=false --bundle=<path to bundle> <artifact>\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/sigstore/cosign/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.3"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/sigstore/cosign/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.6.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.6.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22703"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/cosign/pull/4623"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sigstore/cosign"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:58:50Z",
+    "nvd_published_at": "2026-01-10T07:16:03Z"
+  }
+}
