Publish Advisories

GHSA-fh34-c629-p8xj
GHSA-h2h4-5m64-m273
GHSA-qffm-gf3j-6mvg
GHSA-qffm-gf3j-6mvg

Author: advisory-database[bot]

…-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.json …-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.jsonadvisories/unreviewed/2026/04/GHSA-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.json renamed to advisories/github-reviewed/2026/04/GHSA-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.json advisories/unreviewed/2026/04/GHSA-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.json renamed to advisories/github-reviewed/2026/04/GHSA-fh34-c629-p8xj/GHSA-fh34-c629-p8xj.json

@@ -1,19 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fh34-c629-p8xj",
-  "modified": "2026-04-07T18:31:37Z",
+  "modified": "2026-04-08T19:31:30Z",
   "published": "2026-04-07T18:31:37Z",
   "aliases": [
     "CVE-2026-27315"
   ],
+  "summary": "Apache Cassandra has sensitive Information Leak in cqlsh",
   "details": "Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via  ~/.cassandra/cqlsh_history local file access.\n\nUsers are recommended to upgrade to version 4.0.20, which fixes this issue.\n\n--\nDescription: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user's home directory.\n\nHowever, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cassandra:cassandra-all"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0"
+            },
+            {
+              "fixed": "4.0.20"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27315"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/cassandra"
+    },
     {
       "type": "WEB",
       "url": "https://issues.apache.org/jira/browse/CASSANDRA-21180"
@@ -31,9 +61,9 @@
     "cwe_ids": [
       "CWE-532"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:31:30Z",
     "nvd_published_at": "2026-04-07T17:16:27Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-h2h4-5m64-m273/GHSA-h2h4-5m64-m273.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h2h4-5m64-m273",
-  "modified": "2026-04-08T15:04:05Z",
+  "modified": "2026-04-08T19:31:03Z",
   "published": "2026-04-07T09:31:22Z",
   "aliases": [
     "CVE-2026-33227"
   ],
   "summary": "Apache ActiveMQ: Improper validation and restriction of a classpath path name",
-  "details": "Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.",
+  "details": "Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/04/GHSA-qffm-gf3j-6mvg/GHSA-qffm-gf3j-6mvg.json

@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qffm-gf3j-6mvg",
+  "modified": "2026-04-08T19:31:59Z",
+  "published": "2026-04-07T18:31:37Z",
+  "aliases": [
+    "CVE-2026-32588"
+  ],
+  "summary": "Apache Cassandra has an authenticated DoS over CQL",
+  "details": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cassandra:cassandra-all"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0"
+            },
+            {
+              "fixed": "4.0.20"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cassandra:cassandra-all"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.1"
+            },
+            {
+              "fixed": "4.1.11"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cassandra:cassandra-all"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0"
+            },
+            {
+              "fixed": "5.0.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32588"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:31:59Z",
+    "nvd_published_at": "2026-04-07T17:16:28Z"
+  }
+}