Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 3376d88c29ee · 2025-01-24T21:42:04.000Z
GHSA-qvf5-hvjx-wm27 GHSA-xcpr-7mr4-h4xq GHSA-rhx6-c78j-4q9w GHSA-6729-95v3-pjc2 GHSA-8c3x-hq82-gjcm
diff --git a/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json b/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qvf5-hvjx-wm27",
-  "modified": "2024-11-18T21:03:05Z",
+  "modified": "2025-01-24T21:41:11Z",
   "published": "2024-11-18T12:30:43Z",
   "aliases": [
     "CVE-2024-52317"
@@ -154,6 +154,14 @@
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0004"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/18/3"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json b/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xcpr-7mr4-h4xq",
-  "modified": "2024-11-18T23:48:03Z",
+  "modified": "2025-01-24T21:41:16Z",
   "published": "2024-11-18T12:30:43Z",
   "aliases": [
     "CVE-2024-52316"
@@ -100,6 +100,14 @@
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0003"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/11/18/2"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json b/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rhx6-c78j-4q9w",
-  "modified": "2024-12-06T00:33:27Z",
+  "modified": "2025-01-24T21:41:07Z",
   "published": "2024-12-05T22:40:47Z",
   "aliases": [
     "CVE-2024-52798"
   ],
   "summary": "Unpatched `path-to-regexp` ReDoS in 0.1.x",
   "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -50,13 +55,17 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/pillarjs/path-to-regexp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20250124-0002"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-1333"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-05T22:40:47Z",
     "nvd_published_at": "2024-12-05T23:15:06Z"
diff --git a/advisories/github-reviewed/2025/01/GHSA-6729-95v3-pjc2/GHSA-6729-95v3-pjc2.json b/advisories/github-reviewed/2025/01/GHSA-6729-95v3-pjc2/GHSA-6729-95v3-pjc2.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6729-95v3-pjc2",
-  "modified": "2025-01-24T20:40:15Z",
+  "modified": "2025-01-24T21:40:43Z",
   "published": "2025-01-24T20:40:15Z",
   "aliases": [
     "CVE-2025-24363"
@@ -59,16 +59,30 @@
       "type": "WEB",
       "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-6729-95v3-pjc2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24363"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/commit/d968694b7dd041640efab5414d7077d5028569f7"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/HL7/fhir-ig-publisher"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.8.9"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-200"
+    ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-01-24T20:40:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-01-24T19:15:13Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/01/GHSA-8c3x-hq82-gjcm/GHSA-8c3x-hq82-gjcm.json b/advisories/github-reviewed/2025/01/GHSA-8c3x-hq82-gjcm/GHSA-8c3x-hq82-gjcm.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8c3x-hq82-gjcm",
-  "modified": "2025-01-24T18:33:29Z",
+  "modified": "2025-01-24T21:40:45Z",
   "published": "2025-01-24T18:33:29Z",
   "aliases": [
     "CVE-2024-52807"
   ],
   "summary": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher`",
   "details": "### Impact\nXSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML.\n\nA previous release provided an incomplete solution revealed by new testing. \n\n### Patches\nThis issue has been patched as of version 1.7.4\n\n### Workarounds\nNone\n\n### References\n[Previous Advisory for Incomplete solution](https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5)\n[MITRE CWE](https://cwe.mitre.org/data/definitions/611.html)\n[OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -58,9 +63,17 @@
       "type": "WEB",
       "url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52807"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/HL7/fhir-ig-publisher"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4"
     }
   ],
   "database_specific": {
@@ -70,6 +83,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-01-24T18:33:29Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-01-24T19:15:12Z"
   }
 }
