GHSA SYNC: 10 brand new advisories

gems/Autolab/CVE-2024-49376.yml

@@ -0,0 +1,33 @@
+---
+gem: Autolab
+cve: 2024-49376
+ghsa: v46j-h43h-rwrm
+url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+title: Autolab Misconfigured Reset Password Permissions
+date: 2024-10-25
+description: |
+  ### Impact
+  For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.
+
+  ### Patches
+  This is fixed in v3.0.1.
+
+  ### Workarounds
+  No workarounds.
+
+  ### For more information
+  If you have any questions or comments about this advisory:
+
+  Open an issue in https://github.com/autolab/Autolab/
+  Email us at [autolab-dev@andrew.cmu.edu](mailto:autolab-dev@andrew.cmu.edu)
+cvss_v3: 8.8
+unaffected_versions:
+- "< 3.0.0"
+patched_versions:
+- ">= 3.0.1"
+related:
+  url:
+  - https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+  - https://nvd.nist.gov/vuln/detail/CVE-2024-49376
+  - https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b
+  - https://github.com/advisories/GHSA-v46j-h43h-rwrm

gems/nokogiri/GHSA-fq42-c5rg-92c2.yml

@@ -0,0 +1,63 @@
+---
+gem: nokogiri
+ghsa: fq42-c5rg-92c2
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+title: Vulnerable dependencies in Nokogiri
+date: 2022-02-25
+description: |
+  ### Summary
+
+  Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies:
+
+  - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news)
+  - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news)
+
+  Those library versions address the following upstream CVEs:
+
+  - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity)
+  - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below)
+
+  Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.
+
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs.
+
+
+  ### Impact
+
+  #### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)
+
+  - CVSS3 score: 8.8 (High)
+  - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
+
+  All versions of libxslt prior to v1.1.35 are affected.
+
+  Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.
+
+
+  #### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)
+
+  - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
+  - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
+  - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
+
+  The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false.
+
+  An analysis of these parse options:
+
+  - While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
+  - `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
+
+  It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately.
+patched_versions:
+- ">= 1.13.2"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+  - https://github.com/advisories/GHSA-fq42-c5rg-92c2

gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml

@@ -0,0 +1,41 @@
+---
+gem: nokogiri
+ghsa: gx8x-g87m-h5q6
+url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+title: Denial of Service (DoS) in Nokogiri on JRuby
+date: 2022-04-11
+description: |
+  ## Summary
+
+  Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity).
+
+  See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information.
+
+  Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
+
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.4`.
+
+
+  ## Impact
+
+  ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml
+
+  - **Severity**: High 7.5
+  - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption
+  - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.
+  - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6
+  - https://nvd.nist.gov/vuln/detail/CVE-2022-24839
+  - https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-gx8x-g87m-h5q6

gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml

@@ -0,0 +1,30 @@
+---
+gem: nokogiri
+ghsa: v6gp-9mmm-c6p5
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+title: Out-of-bounds Write in zlib affects Nokogiri
+date: 2022-04-11
+description: "## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11
+  to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032).
+  That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease
+  note that this advisory only applies to the CRuby implementation of Nokogiri `<
+  1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this
+  document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby)
+  for a complete description of which platform gems vendor `zlib`. If you've overridden
+  defaults at installation time to use system libraries instead of packaged libraries,
+  you should instead pay attention to your distro's `zlib` release announcements.
+  \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
+  in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html)
+  Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption
+  when deflating (i.e., when compressing) if the input has many distant matches.\n\n"
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+  - https://nvd.nist.gov/vuln/detail/CVE-2018-25032
+  - https://github.com/advisories/GHSA-jc36-42cf-vqwj
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-v6gp-9mmm-c6p5

gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml

@@ -0,0 +1,37 @@
+---
+gem: nokogiri
+ghsa: xxx9-3xcr-gjj3
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
+title: XML Injection in Xerces Java affects Nokogiri
+date: 2022-04-11
+description: |+
+  ## Summary
+
+  Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record.
+
+  Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= v1.13.4`.
+
+  ## Impact
+
+  ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J
+
+  - **Severity**: Medium
+  - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)
+  - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
+  - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj
+
+cvss_v3: 6.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
+  - https://nvd.nist.gov/vuln/detail/CVE-2022-23437
+  - https://github.com/advisories/GHSA-h65f-jvqw-m9fj
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-xxx9-3xcr-gjj3

gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml

@@ -0,0 +1,23 @@
+---
+gem: omniauth-saml
+ghsa: cvp8-5r8g-fhvq
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
+date: 2024-09-11
+description: "ruby-saml, the dependent SAML gem of omniauth-saml has a signature wrapping
+  vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+  \nAs a result, omniauth-saml created a [new release](https://github.com/omniauth/omniauth-saml/releases)
+  by upgrading ruby-saml to the patched versions v1.17. \n"
+cvss_v3: 10.0
+patched_versions:
+- "~> 1.10.5"
+- "~> 2.1.2"
+- ">= 2.2.1"
+related:
+  url:
+  - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+  - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+  - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
+  - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
+  - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq

gems/rails/CVE-2024-26143.yml

@@ -0,0 +1,46 @@
+---
+gem: rails
+cve: 2024-26143
+ghsa: 9822-6m93-xqf4
+url: https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
+title: Rails has possible XSS Vulnerability in Action Controller
+date: 2024-02-27
+description: "# Possible XSS Vulnerability in Action Controller\n\nThere is a possible
+  XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in
+  Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions
+  Affected:  >= 7.0.0.\nNot affected:       < 7.0.0\nFixed Versions:     7.1.3.1,
+  7.0.8.1\n\nImpact\n------\nApplications using translation methods like `translate`,
+  or `t` on a\ncontroller, with a key ending in \"_html\", a `:default` key which
+  contains\nuntrusted user input, and the resulting string is used in a view, may
+  be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look
+  something like this:\n\n```ruby\nclass ArticlesController < ApplicationController\n
+  \ def show  \n    @message = t(\"message_html\", default: untrusted_input)\n    #
+  The `show` template displays the contents of `@message`\n  end\nend\n```\n\nTo reiterate
+  the pre-conditions, applications must:\n\n* Use a translation function from a controller
+  (i.e. _not_ I18n.t, or `t` from\n  a view)\n* Use a key that ends in `_html`\n*
+  Use a default value where the default value is untrusted and unescaped input\n*
+  Send the text to the victim (whether that's part of a template, or a\n  `render`
+  call)\n\nAll users running an affected release should either upgrade or use one
+  of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available
+  at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds
+  for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately
+  we have provided patches for\nthe two supported release series. They are in git-am
+  format and consist of a\nsingle changeset.\n\n*  7-0-translate-xss.patch - Patch
+  for 7.0 series\n*  7-1-translate-xss.patch - Patch for 7.1 series\n\nCredits\n-------\n\nThanks
+  to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!"
+cvss_v3: 6.1
+unaffected_versions:
+- "< 7.0.0"
+patched_versions:
+- "~> 7.0.8.1"
+- ">= 7.1.3.1"
+related:
+  url:
+  - https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
+  - https://nvd.nist.gov/vuln/detail/CVE-2024-26143
+  - https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
+  - https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
+  - https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
+  - https://security.netapp.com/advisory/ntap-20240510-0004
+  - https://github.com/advisories/GHSA-9822-6m93-xqf4

gems/ruby-saml/CVE-2025-66567.yml

@@ -0,0 +1,23 @@
+---
+gem: ruby-saml
+cve: 2025-66567
+ghsa: 9v8j-x534-2fx3
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3
+title: Ruby-saml has a SAML authentication bypass due to namespace handling (parser
+  differential)
+date: 2025-12-08
+description: |-
+  ### Summary
+
+  Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
+
+  ### Impact
+  That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication
+patched_versions:
+- ">= 1.18.0"
+related:
+  url:
+  - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3
+  - https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
+  - https://github.com/advisories/GHSA-754f-8gm6-c4r2
+  - https://github.com/advisories/GHSA-9v8j-x534-2fx3

gems/ruby-saml/CVE-2025-66568.yml

@@ -0,0 +1,26 @@
+---
+gem: ruby-saml
+cve: 2025-66568
+ghsa: x4h9-gwv3-r4m4
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4
+title: Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature
+  validation
+date: 2025-12-08
+description: |-
+  ### Summary
+  Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.
+
+  ### Details
+  When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.
+
+  ### Impact
+  1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.
+
+  2. Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.
+patched_versions:
+- ">= 1.18.0"
+related:
+  url:
+  - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4
+  - https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a
+  - https://github.com/advisories/GHSA-x4h9-gwv3-r4m4

gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml

@@ -0,0 +1,25 @@
+---
+gem: user_agent_parser
+ghsa: pcqq-5962-hvcw
+url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+title: Denial of Service in uap-core when processing crafted User-Agent strings
+date: 2020-03-10
+description: |-
+  ### Impact
+  Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
+
+  ### Patches
+  Please update `uap-ruby` to >= v2.6.0
+
+  ### For more information
+  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
+
+  Reported in `uap-core` by Ben Caller @bcaller
+patched_versions:
+- ">= 2.6.0"
+related:
+  url:
+  - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+  - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml
+  - https://github.com/advisories/GHSA-pcqq-5962-hvcw