-
-
Notifications
You must be signed in to change notification settings - Fork 232
GHSA/SYNC: 3 more new advisories #1053
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
jasnow
wants to merge
2
commits into
rubysec:master
Choose a base branch
from
jasnow:ghsa-syncbot-2026-05-17-12_39_08
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+158
−0
Open
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| --- | ||
| gem: avo | ||
| cve: 2026-42205 | ||
| ghsa: qc5p-3mg5-9fh8 | ||
| url: https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8 | ||
| title: Broken Access Control Through Unauthorized Execution of Arbitrary | ||
| Action Classes Across Resources | ||
| date: 2026-04-24 | ||
| description: | | ||
| ### Summary | ||
|
|
||
| A critical Broken Access Control vulnerability was identified in the | ||
| `ActionsController` of the Avo framework (v3.x). Due to insecure | ||
| action lookup logic, an authenticated user can execute any Action | ||
| class (descendants of `Avo::BaseAction`) on any resource, even if | ||
| the action is not registered for that specific resource. This leads | ||
| to Privilege Escalation and unauthorized data manipulation across | ||
| the entire application. | ||
|
|
||
| ### Details | ||
|
|
||
| The vulnerability exists in the `action_class` method within | ||
| `app/controllers/avo/actions_controller.rb`. | ||
|
|
||
| #### Vulnerable Code | ||
|
|
||
| ```ruby | ||
| def action_class | ||
| # It searches through ALL descendants of BaseAction without | ||
| # resource validation. | ||
| Avo::BaseAction.descendants.find do |action| | ||
| action.to_s == params[:action_id] | ||
| end | ||
| end | ||
| ``` | ||
|
|
||
| The controller identifies the action class to execute solely based | ||
| on the `params[:action_id]` by searching through all `BaseAction` | ||
| descendants. It fails to verify whether the requested action is | ||
| actually permitted or registered for the resource context specified | ||
| in the request URL (e.g., `/admin/resources/posts/actions`). | ||
|
|
||
| Consequently, an attacker can invoke sensitive actions (e.g., | ||
| `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint | ||
| (e.g., `Post`), bypassing the intended resource-action mapping. | ||
|
|
||
| ### Impact | ||
|
|
||
| This flaw results in significant security risks: | ||
|
|
||
| - **Privilege Escalation:** An authenticated user with low privileges | ||
| can execute administrative actions (like toggling admin roles) to | ||
| escalate their own or others' permissions. | ||
| - **Unauthorized Operations:** Actions designed for restricted | ||
| resources can be triggered against any record ID in the database. | ||
| - **Data Integrity Compromise:** Attackers can perform unauthorized | ||
| destructive operations (e.g., Delete, Archive, or Update) on records | ||
| they should not have access to. | ||
|
|
||
| ### CREDIT | ||
|
|
||
| Illunight | ||
| cvss_v3: 8.8 | ||
| patched_versions: | ||
| - ">= 3.31.2" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2026-42205 | ||
| - https://github.com/avo-hq/avo/releases/tag/v3.31.2 | ||
| - https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8 | ||
| - https://github.com/advisories/GHSA-qc5p-3mg5-9fh8 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| gem: css_parser | ||
| cve: 2026-44312 | ||
| ghsa: ff6c-w6qf-7xqc | ||
| url: https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc | ||
| title: Improper Certificate Validation allows MITM injection of remote | ||
| CSS content | ||
| date: 2026-05-07 | ||
| description: | | ||
| ### Summary | ||
|
|
||
| The CSS Parser gem does not validate HTTPS connections, allowing a | ||
| Man-in-the-Middle (MITM) attacker to inject or modify CSS content when | ||
| stylesheets are loaded via HTTPS. The connection is established with | ||
| `OpenSSL::SSL::VERIFY_NONE`, meaning any HTTPS certificate—even | ||
| entirely untrusted—will be accepted without validation. | ||
|
|
||
| ### Details | ||
|
|
||
| In `lib/css_parser/parser.rb`, the HTTP client sets: | ||
| https://github.com/premailer/css_parser/blob/3f91e8db7547fac50ab50cb7f9920f785f722740/lib/css_parser/parser.rb#L646 | ||
|
|
||
| ```ruby | ||
| http.verify_mode = OpenSSL::SSL::VERIFY_NONE | ||
| ``` | ||
|
|
||
| As a result, the library does not validate the authenticity of HTTPS | ||
| connections and does not protect against man-in-the-middle attacks. | ||
| Any attacker in a position to intercept network traffic can inject | ||
| or modify CSS loaded via HTTPS URLs without detection or warning. | ||
|
|
||
| ### Impact | ||
|
|
||
| Applications using CSS Parser to load remote stylesheets over HTTPS | ||
| are vulnerable to CSS injection and content manipulation, regardless | ||
| of the trust status of the remote server. All users who use CSS Parser | ||
| to fetch external CSS over HTTPS may be impacted. | ||
|
|
||
| ### Credit | ||
|
|
||
| This vulnerability was uncovered by @JLLeitschuh of the | ||
| @braze-inc security team. | ||
| cvss_v3: 5.8 | ||
| patched_versions: | ||
| - "~> 1.22.0" | ||
| - ">= 2.1.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2026-44312 | ||
| - https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc | ||
| - https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449 | ||
| - https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18 | ||
| - https://github.com/premailer/css_parser/issues/185 | ||
| - https://github.com/advisories/GHSA-ff6c-w6qf-7xqc |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| gem: graphql | ||
| ghsa: 3h96-34p3-xm76 | ||
| url: https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76 | ||
| title: GraphQL-Ruby's Ruby lexer does not count comment tokens for | ||
| the purposes of max_query_string_tokens | ||
| date: 2026-05-05 | ||
| description: | | ||
| GraphQL-Ruby's `max_query_string_tokens` configuration didn't count | ||
| comment tokens against the limit, allowing strings to be processed | ||
| even after the configured maximum had actually been reached. | ||
|
|
||
| In patched versions, the Ruby lexer does count these tokens. | ||
|
|
||
| GraphQL-CParser is not affected by this problem. | ||
|
|
||
| `max_query_string_tokens` was introduced in v2.3.1. Each 2.x | ||
| version has received a new patch release for including a fix. | ||
| cvss_v3: 5.3 | ||
| unaffected_versions: | ||
| - "< 2.3.1" | ||
| patched_versions: | ||
| - "~> 2.3.23" | ||
| - "~> 2.4.18" | ||
| - "~> 2.5.26" | ||
| - ">= 2.6.1" | ||
| related: | ||
| url: | ||
| - https://github.com/rmosolgo/graphql-ruby/blob/master/CHANGELOG.md#261 | ||
| - https://github.com/rmosolgo/graphql-ruby/commit/2a8d95680bf1ed9bb7c0d89345a736f57b10877b | ||
| - https://github.com/rmosolgo/graphql-ruby/pull/4929 | ||
| - https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76 | ||
| - https://github.com/advisories/GHSA-3h96-34p3-xm76 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.