Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4e270e7a0e85 · 2026-03-18T19:56:23.000Z
GHSA-64hm-gfwq-jppw GHSA-7rcv-55mj-chg7 GHSA-gc42-3jg7-rxr2
diff --git a/advisories/github-reviewed/2026/03/GHSA-64hm-gfwq-jppw/GHSA-64hm-gfwq-jppw.json b/advisories/github-reviewed/2026/03/GHSA-64hm-gfwq-jppw/GHSA-64hm-gfwq-jppw.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-64hm-gfwq-jppw",
+  "modified": "2026-03-18T19:53:59Z",
+  "published": "2026-03-18T19:53:59Z",
+  "aliases": [
+    "CVE-2026-33166"
+  ],
+  "summary": "Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)",
+  "details": "### Summary\nThe Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report.\n\n### Details\nThe vulnerability exists in several plugins where attachment paths are resolved using unvalidated user input. The code uses Path.resolve() without normalizing the path or checking if the resulting file remains within the intended results directory.\n\nAffected Files and Lines:\n\nAllure2Plugin.java (Line 264): `final Path attachmentFile = source.resolve(attachment.getSource());`\n\nAllure1Plugin.java (Line 328): `final Path attachmentFile = source.resolve(attachment.getSource());`\n\nXcTestPlugin.java (Line 181): `attachments.resolve(String.format(\"Screenshot_%s.%s\", uuid, ext))`\n\nSince `resolve()` allows absolute paths or ../ sequences to escape the base directory, any file readable by the process can be exfiltrated.\n\n### PoC\n1) Create a directory named allure-results.\n\n2) Create a file malicious-result.json inside it:\n\n```\n{\n  \"uuid\": \"poc-traversal\",\n  \"name\": \"Path Traversal PoC\",\n  \"status\": \"passed\",\n  \"attachments\": [\n    {\n      \"name\": \"Sensitive Data\",\n      \"source\": \"../../../../../../../../../../../etc/passwd\",\n      \"type\": \"text/plain\"\n    }\n  ]\n}\n```\n3) run `allure generate allure-results -o allure-report`\n\n4) The content of `/etc/passwd` will now be present in `allure-report/data/attachments/`.\n\n\n### Impact\nThis is a High Severity vulnerability. In CI/CD environments (GitHub Actions, Jenkins), an attacker submitting a Pull Request can exfiltrate server secrets, cloud credentials, or environment configuration files stored on the runner disk. It also may affect custom Allure web services where users can upload results, allowing them to read arbitrary files from the server's filesystem. Allure TestOps is not affected.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.qameta.allure:allure-generator"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.38.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.37.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/allure-framework/allure2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T19:53:59Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-7rcv-55mj-chg7/GHSA-7rcv-55mj-chg7.json b/advisories/github-reviewed/2026/03/GHSA-7rcv-55mj-chg7/GHSA-7rcv-55mj-chg7.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7rcv-55mj-chg7",
+  "modified": "2026-03-18T19:54:30Z",
+  "published": "2026-03-18T19:54:30Z",
+  "aliases": [
+    "CVE-2026-33172"
+  ],
+  "summary": "Statamic has Stored XSS via SVG Sanitization Bypass",
+  "details": "### Impact\n\nStored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "statamic/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0-alpha.1"
+            },
+            {
+              "fixed": "6.7.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "statamic/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.73.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/statamic/cms/security/advisories/GHSA-7rcv-55mj-chg7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/statamic/cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T19:54:30Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-gc42-3jg7-rxr2/GHSA-gc42-3jg7-rxr2.json b/advisories/github-reviewed/2026/03/GHSA-gc42-3jg7-rxr2/GHSA-gc42-3jg7-rxr2.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gc42-3jg7-rxr2",
+  "modified": "2026-03-18T19:54:12Z",
+  "published": "2026-03-18T19:54:12Z",
+  "aliases": [
+    "CVE-2026-33040"
+  ],
+  "summary": "Gossipsub PRUNE.backoff Duration Overflow",
+  "details": "### Summary\nThe Rust libp2p Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state.\nA specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication.\n\n### Attack Scenario\nAn attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending a single crafted PRUNE control message:\n1. Establish a standard libp2p transport session and negotiate a stream multiplexer.\n2. Open a Gossipsub stream and negotiate the meshsub protocol.\n3. Send one protobuf RPC containing ControlPrune with a very large backoff value (e.g. 18446744073709551615 / u64::MAX).\nWhen processed, the oversized backoff can reach time-update logic that adds Duration::from_secs(backoff) to Instant::now(), causing overflow and panic.\n\n### Impact\nRemote unauthenticated denial of service.\nAny application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message.\n### Patches\nUsers should upgrade to a release that hardens Gossipsub backoff handling.\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "libp2p-gossipsub"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.49.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/libp2p/rust-libp2p"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T19:54:12Z",
+    "nvd_published_at": null
+  }
+}
