Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ec91e90ab8b9 · 2026-03-17T18:40:15.000Z
GHSA-2hcp-gjrf-7fhc GHSA-46g3-37rh-v698 GHSA-wf42-42fg-fg84
diff --git a/advisories/github-reviewed/2026/03/GHSA-2hcp-gjrf-7fhc/GHSA-2hcp-gjrf-7fhc.json b/advisories/github-reviewed/2026/03/GHSA-2hcp-gjrf-7fhc/GHSA-2hcp-gjrf-7fhc.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hcp-gjrf-7fhc",
+  "modified": "2026-03-17T18:39:27Z",
+  "published": "2026-03-17T18:39:27Z",
+  "aliases": [
+    "CVE-2026-33012"
+  ],
+  "summary": "Micronaut Framework vulnerable to a Denial of Service in HTML error response caching",
+  "details": "`DefaultHtmlErrorResponseBodyProvider` in `io.micronaut:micronaut-http-server` since `4.7.0` and until `4.10.7` used an unbounded `ConcurrentHashMap` cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters,  this could be used by remote attackers\nto cause a denial of service (unbounded heap growth and OutOfMemoryError). \n\nFixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.micronaut:micronaut-http-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.7.0"
+            },
+            {
+              "fixed": "4.10.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/micronaut-projects/micronaut-core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T18:39:27Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-46g3-37rh-v698/GHSA-46g3-37rh-v698.json b/advisories/github-reviewed/2026/03/GHSA-46g3-37rh-v698/GHSA-46g3-37rh-v698.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-46g3-37rh-v698",
+  "modified": "2026-03-17T18:38:16Z",
+  "published": "2026-03-17T18:38:16Z",
+  "aliases": [
+    "CVE-2026-32947"
+  ],
+  "summary": "Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)",
+  "details": "## Summary\n\nA vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the `egress-policy: block` network restriction using DNS over HTTPS (DoH).\n\nHarden-Runner secures GitHub Actions workflows on runners by applying network policies, including an `allowed-endpoints` configuration that limits outbound traffic to specified domains and ports (e.g., `github.com:443`). In `egress-policy: block` mode, non-compliant connections are intercepted and denied. \n\nThis vulnerability exploits DoH, a protocol that encapsulates DNS queries within HTTPS requests. By crafting a DNS query that embeds exfiltrated data as a subdomain (e.g., encoding the runner's hostname into a label), an attacker can route the request through a permitted HTTPS endpoint like `dns.google` (`8.8.8.8`'s DoH service). The resolver processes the query and forwards it to the attacker's controlled domain, achieving exfiltration without directly accessing the blocked destination. This evades Harden-Runner's domain-based filtering, as the initial HTTPS connection appears legitimate. \n\nThis vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\nThe Enterprise Tier of Harden-Runner is **not affected** by this vulnerability.\n\n## Impact\n\nWhen Harden-Runner is configured with `egress-policy: block` and a restrictive `allowed-endpoints` list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the allowed domains check via DNS over HTTPS by proxying DNS queries through a permitted resolver (e.g., Google's DoH service). This allows data exfiltration even when `allowed-endpoints` is set to only whitelisted domains.\n\nThis vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\n## Remediation\n\n### For Community Tier Users\n\nUpgrade to Harden-Runner v2.16.0 or later. \n\n### For Enterprise Tier Users\n\nNo action required. Enterprise tier customers are not affected by this vulnerability.\n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "GitHub Actions",
+        "name": "step-security/harden-runner"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.16.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.15.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-46g3-37rh-v698"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/step-security/harden-runner"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T18:38:16Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-wf42-42fg-fg84/GHSA-wf42-42fg-fg84.json b/advisories/github-reviewed/2026/03/GHSA-wf42-42fg-fg84/GHSA-wf42-42fg-fg84.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wf42-42fg-fg84",
+  "modified": "2026-03-17T18:38:38Z",
+  "published": "2026-03-17T18:38:38Z",
+  "aliases": [
+    "CVE-2026-33011"
+  ],
+  "summary": "Nest Fastify HEAD Request Middleware Bypass",
+  "details": "### Impact\n\nIn a NestJS application using `@nestjs/platform-fastify`, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).\n\nAs a result:\n\n- Middleware will be completely skipped.\n- The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).\n- The actual handler will still be executed.\n\n### Patches\n\nFixed in `@nestjs/platform-fastify@11.1.16`",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@nestjs/platform-fastify"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.1.16"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.1.15"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nestjs/nest"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nestjs/nest/releases/tag/v11.1.17"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-670"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T18:38:38Z",
+    "nvd_published_at": null
+  }
+}
