Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b5c78eede1d8 · 2026-03-25T21:38:07.000Z
GHSA-g433-pq76-6cmf GHSA-4fcp-jxh7-23x8 GHSA-f27w-vcwj-c954 GHSA-h8vw-ph9r-xpch
diff --git a/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json b/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json
@@ -1,12 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g433-pq76-6cmf",
-  "modified": "2026-02-13T20:05:10Z",
+  "modified": "2026-03-25T21:37:22Z",
   "published": "2026-02-13T20:05:10Z",
   "aliases": [],
   "summary": "Bug fixes in hpke-rs, hpke-rs-rust-crypto",
   "details": "We publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the hpke-rs and hpke-rs-rust-crypto crates contain the following bug-fixes:\n\n## hpke-rs\n- [#127](https://github.com/cryspen/hpke-rs/pull/127): Fix `KemAlgorithm::TryFrom<u16>` mapping where `0x004D` incorrectly resolved to `XWingDraft06` instead of `XWingDraft06Obsolete`.\n- [#123](https://github.com/cryspen/hpke-rs/pull/123): Fix potential overflow in context counter and switch to use u64.\n- [#128](https://github.com/cryspen/hpke-rs/pull/128): Return errors when trying to use open/seal with export only ciphersuite and when using kdf export with an output that's too long (instead of truncating it)\n\nThe issue fixed in #123 was first reported by Nadim Kobeissi.\nThe issues fixed in #127 and #128 were first reported by Scott Arciszewski.\n\n## hpke-rs-rust-crypto\n- [#124](https://github.com/cryspen/hpke-rs/pull/124): Error out on x25519 0 keys\n\nThe issue fixed in #124 was first reported by Nadim Kobeissi.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -87,6 +92,14 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/cryspen/hpke-rs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0070.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0072.html"
     }
   ],
   "database_specific": {
@@ -95,7 +108,7 @@
       "CWE-20",
       "CWE-697"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-13T20:05:10Z",
     "nvd_published_at": null
diff --git a/advisories/github-reviewed/2026/03/GHSA-4fcp-jxh7-23x8/GHSA-4fcp-jxh7-23x8.json b/advisories/github-reviewed/2026/03/GHSA-4fcp-jxh7-23x8/GHSA-4fcp-jxh7-23x8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4fcp-jxh7-23x8",
-  "modified": "2026-03-19T21:18:42Z",
+  "modified": "2026-03-25T21:35:31Z",
   "published": "2026-03-19T12:50:57Z",
   "aliases": [
     "CVE-2026-33320"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33320"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/TomWright/dasel"
@@ -52,6 +56,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T12:50:57Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T01:17:02Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-f27w-vcwj-c954/GHSA-f27w-vcwj-c954.json b/advisories/github-reviewed/2026/03/GHSA-f27w-vcwj-c954/GHSA-f27w-vcwj-c954.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f27w-vcwj-c954",
-  "modified": "2026-03-19T17:54:17Z",
+  "modified": "2026-03-25T21:36:33Z",
   "published": "2026-03-19T17:54:17Z",
   "aliases": [
     "CVE-2026-33306"
@@ -43,9 +43,25 @@
       "type": "WEB",
       "url": "https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33306"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/bcrypt-ruby/bcrypt-ruby"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt/CVE-2026-33306.yml"
     }
   ],
   "database_specific": {
@@ -55,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T17:54:17Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T01:17:02Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-h8vw-ph9r-xpch/GHSA-h8vw-ph9r-xpch.json b/advisories/github-reviewed/2026/03/GHSA-h8vw-ph9r-xpch/GHSA-h8vw-ph9r-xpch.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h8vw-ph9r-xpch",
-  "modified": "2026-03-20T21:35:26Z",
+  "modified": "2026-03-25T21:35:16Z",
   "published": "2026-03-19T16:28:04Z",
   "aliases": [
     "CVE-2026-30924"
@@ -28,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "last_affected": "1.14.1"
+              "fixed": "1.15.0"
             }
           ]
         }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-h8vw-ph9r-xpch",`
`4`		`- "modified": "2026-03-20T21:35:26Z",`
	`4`	`+ "modified": "2026-03-25T21:35:16Z",`
`5`	`5`	`"published": "2026-03-19T16:28:04Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-30924"`
`@@ -28,7 +28,7 @@`
`28`	`28`	`"introduced": "0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "last_affected": "1.14.1"`
	`31`	`+ "fixed": "1.15.0"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`