stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
01104cccdf51e00d4a945031e23f904b68b99341
git.stella-ops.org/src/StellaOps.Concelier.Connector.Osv.Tests/Fixtures/osv-ghsa.osv.json
master 01104cccdf Resolve Concelier/Excititor merge conflicts
2025-10-20 14:19:25 +03:00

1610 lines
61 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[
{
"advisoryKey": "GHSA-77vh-xpmg-72qh",
"affectedPackages": [
{
"type": "semver",
"identifier": "pkg:golang/github.com/opencontainers/image-spec",
"platform": "Go",
"versionRanges": [
{
"fixedVersion": "1.0.2",
"introducedVersion": "0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "1.0.2",
"fixedInclusive": false,
"introduced": "0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:golang/github.com/opencontainers/image-spec",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "0",
"minInclusive": true,
"max": "1.0.2",
"maxInclusive": false,
"value": null,
"notes": "osv:Go:GHSA-77vh-xpmg-72qh:pkg:golang/github.com/opencontainers/image-spec"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:golang/github.com/opencontainers/image-spec",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
}
],
"aliases": [
"CGA-j36r-723f-8c29",
"GHSA-77vh-xpmg-72qh"
],
"canonicalMetricId": "3.1|CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"credits": [],
"cvssMetrics": [
{
"baseScore": 3,
"baseSeverity": "low",
"provenance": {
"source": "osv",
"kind": "cvss",
"value": "CVSS_V3",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": []
},
"vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
],
"cwes": [
{
"taxonomy": "cwe",
"identifier": "CWE-843",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/843.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-843",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"cwes[]"
]
}
]
}
],
"description": "### Impact\nIn the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.\n\n### Patches\nThe Image Specification will be updated to recommend that both manifest and index documents contain a `mediaType` field to identify the type of document.\nRelease [v1.0.2](https://github.com/opencontainers/image-spec/releases/tag/v1.0.2) includes these updates.\n\n### Workarounds\nSoftware attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.\n\n### References\nhttps://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/opencontainers/image-spec\n* Email us at [security@opencontainers.org](mailto:security@opencontainers.org)\n* https://github.com/opencontainers/image-spec/commits/v1.0.2",
"exploitKnown": false,
"language": "en",
"modified": "2021-11-24T19:43:35+00:00",
"provenance": [
{
"source": "osv",
"kind": "document",
"value": "https://osv.dev/vulnerability/GHSA-77vh-xpmg-72qh",
"decisionReason": null,
"recordedAt": "2021-11-18T16:02:41+00:00",
"fieldMask": [
"advisory"
]
},
{
"source": "osv",
"kind": "mapping",
"value": "GHSA-77vh-xpmg-72qh",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"advisory"
]
}
],
"published": "2021-11-18T16:02:41+00:00",
"references": [
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/opencontainers/image-spec",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "PACKAGE",
"summary": null,
"url": "https://github.com/opencontainers/image-spec"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/opencontainers/image-spec/releases/tag/v1.0.2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/opencontainers/image-spec/releases/tag/v1.0.2"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9970795+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
}
],
"severity": "low",
"summary": "### Impact In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index. ### Patches The Image Specification will be updated to recommend that both manifest and index documents contain a `mediaType` field to identify the type of document. Release [v1.0.2](https://github.com/opencontainers/image-spec/releases/tag/v1.0.2) includes these updates. ### Workarounds Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields. ### References https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/opencontainers/image-spec * Email us at [security@opencontainers.org](mailto:security@opencontainers.org) * https://github.com/opencontainers/image-spec/commits/v1.0.2",
"title": "Clarify `mediaType` handling"
},
{
"advisoryKey": "GHSA-7rjr-3q55-vv33",
"affectedPackages": [
{
"type": "semver",
"identifier": "pkg:maven/org.apache.logging.log4j/log4j-core",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "2.16.0",
"introducedVersion": "2.13.0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "2.16.0",
"fixedInclusive": false,
"introduced": "2.13.0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.apache.logging.log4j/log4j-core",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "2.13.0",
"minInclusive": true,
"max": "2.16.0",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.apache.logging.log4j/log4j-core"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.apache.logging.log4j/log4j-core",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
},
{
"type": "semver",
"identifier": "pkg:maven/org.apache.logging.log4j/log4j-core",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "2.12.2",
"introducedVersion": "0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "2.12.2",
"fixedInclusive": false,
"introduced": "0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.apache.logging.log4j/log4j-core",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "0",
"minInclusive": true,
"max": "2.12.2",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.apache.logging.log4j/log4j-core"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.apache.logging.log4j/log4j-core",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
},
{
"type": "semver",
"identifier": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "1.9.2",
"introducedVersion": "1.8.0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "1.9.2",
"fixedInclusive": false,
"introduced": "1.8.0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "1.8.0",
"minInclusive": true,
"max": "1.9.2",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
},
{
"type": "semver",
"identifier": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "1.10.8",
"introducedVersion": "1.10.0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "1.10.8",
"fixedInclusive": false,
"introduced": "1.10.0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "1.10.0",
"minInclusive": true,
"max": "1.10.8",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
},
{
"type": "semver",
"identifier": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "1.11.11",
"introducedVersion": "1.11.0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "1.11.11",
"fixedInclusive": false,
"introduced": "1.11.0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "1.11.0",
"minInclusive": true,
"max": "1.11.11",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
},
{
"type": "semver",
"identifier": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"platform": "Maven",
"versionRanges": [
{
"fixedVersion": "2.0.12",
"introducedVersion": "2.0.0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "2.0.12",
"fixedInclusive": false,
"introduced": "2.0.0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "2.0.0",
"minInclusive": true,
"max": "2.0.12",
"maxInclusive": false,
"value": null,
"notes": "osv:Maven:GHSA-7rjr-3q55-vv33:pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
}
],
"aliases": [
"CVE-2021-45046",
"GHSA-7rjr-3q55-vv33"
],
"canonicalMetricId": "3.1|CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"credits": [],
"cvssMetrics": [
{
"baseScore": 9,
"baseSeverity": "critical",
"provenance": {
"source": "osv",
"kind": "cvss",
"value": "CVSS_V3",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": []
},
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"cwes": [
{
"taxonomy": "cwe",
"identifier": "CWE-502",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/502.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-502",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"cwes[]"
]
}
]
},
{
"taxonomy": "cwe",
"identifier": "CWE-917",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/917.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-917",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"cwes[]"
]
}
]
}
],
"description": "# Impact\n\nThe fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. \n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Mitigation\n\nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n\nLog4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.",
"exploitKnown": false,
"language": "en",
"modified": "2025-05-09T13:13:16.169374+00:00",
"provenance": [
{
"source": "osv",
"kind": "document",
"value": "https://osv.dev/vulnerability/GHSA-7rjr-3q55-vv33",
"decisionReason": null,
"recordedAt": "2021-12-14T18:01:28+00:00",
"fieldMask": [
"advisory"
]
},
{
"source": "osv",
"kind": "mapping",
"value": "GHSA-7rjr-3q55-vv33",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"advisory"
]
}
],
"published": "2021-12-14T18:01:28+00:00",
"references": [
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "http://www.openwall.com/lists/oss-security/2021/12/14/4",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "http://www.openwall.com/lists/oss-security/2021/12/15/3",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "http://www.openwall.com/lists/oss-security/2021/12/18/1",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"kind": "advisory",
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "ADVISORY",
"summary": null,
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://logging.apache.org/log4j/2.x/security.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"kind": "advisory",
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "ADVISORY",
"summary": null,
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://security.gentoo.org/glsa/202310-16",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://security.gentoo.org/glsa/202310-16"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.debian.org/security/2021/dsa-5022",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.debian.org/security/2021/dsa-5022"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.kb.cert.org/vuls/id/930724",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.oracle.com/security-alerts/cpujan2022.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://www.oracle.com/security-alerts/cpujul2022.html",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9980643+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"severity": "critical",
"summary": "# Impact The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. # Mitigation Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.",
"title": "Incomplete fix for Apache Log4j vulnerability"
},
{
"advisoryKey": "GHSA-cjjf-27cc-pvmv",
"affectedPackages": [
{
"type": "semver",
"identifier": "pkg:pypi/pyload-ng",
"platform": "PyPI",
"versionRanges": [
{
"fixedVersion": "0.5.0b3.dev91",
"introducedVersion": "0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "0.5.0b3.dev91",
"fixedInclusive": false,
"introduced": "0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:pypi/pyload-ng",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "0",
"minInclusive": true,
"max": "0.5.0b3.dev91",
"maxInclusive": false,
"value": null,
"notes": "osv:PyPI:GHSA-cjjf-27cc-pvmv:pkg:pypi/pyload-ng"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:pypi/pyload-ng",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
}
],
"aliases": [
"CVE-2025-61773",
"GHSA-cjjf-27cc-pvmv"
],
"canonicalMetricId": "3.1|CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"credits": [],
"cvssMetrics": [
{
"baseScore": 8.1,
"baseSeverity": "high",
"provenance": {
"source": "osv",
"kind": "cvss",
"value": "CVSS_V3",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": []
},
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
],
"cwes": [
{
"taxonomy": "cwe",
"identifier": "CWE-116",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/116.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-116",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"cwes[]"
]
}
]
},
{
"taxonomy": "cwe",
"identifier": "CWE-74",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/74.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-74",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"cwes[]"
]
}
]
},
{
"taxonomy": "cwe",
"identifier": "CWE-79",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/79.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-79",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"cwes[]"
]
}
]
},
{
"taxonomy": "cwe",
"identifier": "CWE-94",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/94.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-94",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"cwes[]"
]
}
]
}
],
"description": "### Summary\npyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted.\n\nuser-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow.\n CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests.\n\n### PoC\n\n1. Run a vulnerable version of pyLoad prior to commit [`f9d27f2`](https://github.com/pyload/pyload/pull/4624).\n2. Start the web UI and access the Captcha or CNL endpoints.\n3. Submit a crafted request containing malicious JavaScript payloads in unvalidated parameters (`/flash/addcrypted2?jk=function(){alert(1)}&crypted=12345`).\n4. Observe that the payload is reflected and executed in the clients browser, demonstrating cross-site scripting (XSS).\n\nExample request:\n\n```http\nGET /flash/addcrypted2?jk=function(){alert(1)}&crypted=12345 HTTP/1.1\nHost: 127.0.0.1:8000\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 107\n```\n\n### Impact\n\nExploiting this vulnerability allows an attacker to inject and execute arbitrary JavaScript within the browser session of a user accessing the pyLoad Web UI. In practice, this means an attacker could impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. Because the affected endpoints are part of the core interface, a successful attack undermines the trust and security of the entire application, potentially leading to a full compromise of the management interface and the data it controls. The impact is particularly severe in cases where the Web UI is exposed over a network without additional access restrictions, as it enables remote attackers to directly target users with crafted links or requests that trigger the vulnerability.",
"exploitKnown": false,
"language": "en",
"modified": "2025-10-09T15:59:13.250015+00:00",
"provenance": [
{
"source": "osv",
"kind": "document",
"value": "https://osv.dev/vulnerability/GHSA-cjjf-27cc-pvmv",
"decisionReason": null,
"recordedAt": "2025-10-09T15:19:48+00:00",
"fieldMask": [
"advisory"
]
},
{
"source": "osv",
"kind": "mapping",
"value": "GHSA-cjjf-27cc-pvmv",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"advisory"
]
}
],
"published": "2025-10-09T15:19:48+00:00",
"references": [
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/pyload/pyload",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "PACKAGE",
"summary": null,
"url": "https://github.com/pyload/pyload"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/pyload/pyload/pull/4624",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/pyload/pyload/pull/4624"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.995174+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv"
}
],
"severity": "high",
"summary": "### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. ### PoC 1. Run a vulnerable version of pyLoad prior to commit [`f9d27f2`](https://github.com/pyload/pyload/pull/4624). 2. Start the web UI and access the Captcha or CNL endpoints. 3. Submit a crafted request containing malicious JavaScript payloads in unvalidated parameters (`/flash/addcrypted2?jk=function(){alert(1)}&crypted=12345`). 4. Observe that the payload is reflected and executed in the clients browser, demonstrating cross-site scripting (XSS). Example request: ```http GET /flash/addcrypted2?jk=function(){alert(1)}&crypted=12345 HTTP/1.1 Host: 127.0.0.1:8000 Content-Type: application/x-www-form-urlencoded Content-Length: 107 ``` ### Impact Exploiting this vulnerability allows an attacker to inject and execute arbitrary JavaScript within the browser session of a user accessing the pyLoad Web UI. In practice, this means an attacker could impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. Because the affected endpoints are part of the core interface, a successful attack undermines the trust and security of the entire application, potentially leading to a full compromise of the management interface and the data it controls. The impact is particularly severe in cases where the Web UI is exposed over a network without additional access restrictions, as it enables remote attackers to directly target users with crafted links or requests that trigger the vulnerability.",
"title": "pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters"
},
{
"advisoryKey": "GHSA-wv4w-6qv2-qqfg",
"affectedPackages": [
{
"type": "semver",
"identifier": "pkg:pypi/social-auth-app-django",
"platform": "PyPI",
"versionRanges": [
{
"fixedVersion": "5.6.0",
"introducedVersion": "0",
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": false,
"nevra": null,
"semVer": {
"constraintExpression": null,
"exactValue": null,
"fixed": "5.6.0",
"fixedInclusive": false,
"introduced": "0",
"introducedInclusive": true,
"lastAffected": null,
"lastAffectedInclusive": true,
"style": "range"
},
"vendorExtensions": null
},
"provenance": {
"source": "osv",
"kind": "range",
"value": "pkg:pypi/social-auth-app-django",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"affectedpackages[].versionranges[]"
]
},
"rangeExpression": null,
"rangeKind": "semver"
}
],
"normalizedVersions": [
{
"scheme": "semver",
"type": "range",
"min": "0",
"minInclusive": true,
"max": "5.6.0",
"maxInclusive": false,
"value": null,
"notes": "osv:PyPI:GHSA-wv4w-6qv2-qqfg:pkg:pypi/social-auth-app-django"
}
],
"statuses": [],
"provenance": [
{
"source": "osv",
"kind": "affected",
"value": "pkg:pypi/social-auth-app-django",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"affectedpackages[]"
]
}
]
}
],
"aliases": [
"CVE-2025-61783",
"GHSA-wv4w-6qv2-qqfg"
],
"canonicalMetricId": "osv:severity/medium",
"credits": [],
"cvssMetrics": [],
"cwes": [
{
"taxonomy": "cwe",
"identifier": "CWE-290",
"name": null,
"uri": "https://cwe.mitre.org/data/definitions/290.html",
"provenance": [
{
"source": "osv",
"kind": "weakness",
"value": "CWE-290",
"decisionReason": "database_specific.cwe_ids",
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"cwes[]"
]
}
]
}
],
"description": "### Impact\n\nUpon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.\n\n### Patches\n\n* https://github.com/python-social-auth/social-app-django/pull/803\n\n### Workarounds\n\nReview the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.",
"exploitKnown": false,
"language": "en",
"modified": "2025-10-09T17:57:29.916841+00:00",
"provenance": [
{
"source": "osv",
"kind": "document",
"value": "https://osv.dev/vulnerability/GHSA-wv4w-6qv2-qqfg",
"decisionReason": null,
"recordedAt": "2025-10-09T17:08:05+00:00",
"fieldMask": [
"advisory"
]
},
{
"source": "osv",
"kind": "mapping",
"value": "GHSA-wv4w-6qv2-qqfg",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"advisory"
]
}
],
"published": "2025-10-09T17:08:05+00:00",
"references": [
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "PACKAGE",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/issues/220",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/issues/220"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/issues/231",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/issues/231"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/issues/634",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/issues/634"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/pull/803",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/pull/803"
},
{
"kind": null,
"provenance": {
"source": "osv",
"kind": "reference",
"value": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg",
"decisionReason": null,
"recordedAt": "2025-10-15T14:48:57.9927932+00:00",
"fieldMask": [
"references[]"
]
},
"sourceTag": "WEB",
"summary": null,
"url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"
}
],
"severity": "medium",
"summary": "### Impact Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. ### Patches * https://github.com/python-social-auth/social-app-django/pull/803 ### Workarounds Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.",
"title": "Python Social Auth - Django has unsafe account association"
}
]
Reference in New Issue View Git Blame Copy Permalink