Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a5f051771e73 · 2026-04-16T21:18:27.000Z
GHSA-965h-392x-2mh5 GHSA-v92g-xgxw-vvmm GHSA-xgp8-3hg3-c2mh
diff --git a/advisories/github-reviewed/2026/04/GHSA-965h-392x-2mh5/GHSA-965h-392x-2mh5.json b/advisories/github-reviewed/2026/04/GHSA-965h-392x-2mh5/GHSA-965h-392x-2mh5.json
@@ -0,0 +1,78 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-965h-392x-2mh5",
+  "modified": "2026-04-16T21:16:23Z",
+  "published": "2026-04-16T21:16:22Z",
+  "aliases": [],
+  "summary": "webpki: Name constraints for URI names were incorrectly accepted",
+  "details": "Name constraints for URI names were ignored and therefore accepted.\n\nNote this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.\n\nSince name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustls-webpki"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.101.0"
+            },
+            {
+              "fixed": "0.103.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustls-webpki"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.104.0-alpha.1"
+            },
+            {
+              "fixed": "0.104.0-alpha.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rustls/webpki"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0098.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:16:22Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-v92g-xgxw-vvmm/GHSA-v92g-xgxw-vvmm.json b/advisories/github-reviewed/2026/04/GHSA-v92g-xgxw-vvmm/GHSA-v92g-xgxw-vvmm.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v92g-xgxw-vvmm",
+  "modified": "2026-04-16T21:16:40Z",
+  "published": "2026-04-16T21:16:40Z",
+  "aliases": [],
+  "summary": "Mako: Path traversal via double-slash URI prefix in TemplateLookup",
+  "details": "### Summary\n\n`TemplateLookup.get_template()` is vulnerable to path traversal when a URI starts with `//` (e.g., `//../../../secret.txt`). The root cause is an inconsistency between two slash-stripping implementations:\n\n- `Template.__init__` strips **one** leading `/` using `if`/slice\n- `TemplateLookup.get_template()` strips **all** leading `/` using `re.sub(r\"^\\/+\", \"\")`\n\nWhen a URI like `//../../../../etc/passwd` is passed:\n1. `get_template()` strips all `/` → `../../../../etc/passwd` → file found via `posixpath.join(dir_, u)`\n2. `Template.__init__` strips one `/` → `/../../../../etc/passwd` → `normpath` → `/etc/passwd`\n3. `/etc/passwd`.startswith(`..`) → `False` → **check bypassed**\n\n### Impact\n\nArbitrary file read: any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to `TemplateLookup.get_template()`.\n\nNote: this is exploitable at the library API level. HTTP-based exploitation is mitigated by Python's `BaseHTTPRequestHandler` which normalizes double-slash prefixes since CPython gh-87389. Applications using other HTTP servers that do not normalize paths may be affected.\n\n### Fix\n\nChanged `Template.__init__` to use `lstrip(\"/\")` instead of stripping only a single leading slash, so both code paths handle leading slashes consistently.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "Mako"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.3.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sqlalchemy/mako"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:16:40Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-xgp8-3hg3-c2mh/GHSA-xgp8-3hg3-c2mh.json b/advisories/github-reviewed/2026/04/GHSA-xgp8-3hg3-c2mh/GHSA-xgp8-3hg3-c2mh.json
@@ -0,0 +1,78 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xgp8-3hg3-c2mh",
+  "modified": "2026-04-16T21:17:12Z",
+  "published": "2026-04-16T21:17:12Z",
+  "aliases": [],
+  "summary": "webpki: Name constraints were accepted for certificates asserting a wildcard name",
+  "details": "Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.\n\nThis was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.\nThis is very similar to [CVE-2025-61727](https://go.dev/issue/76442).\n\nSince name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustls-webpki"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.101.0"
+            },
+            {
+              "fixed": "0.103.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustls-webpki"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.104.0-alpha.1"
+            },
+            {
+              "fixed": "0.104.0-alpha.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rustls/webpki"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0099.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:17:12Z",
+    "nvd_published_at": null
+  }
+}
