diff --git a/gems/camaleon_cms/CVE-2026-1776.yml b/gems/camaleon_cms/CVE-2026-1776.yml new file mode 100644 index 0000000000..1009ced182 --- /dev/null +++ b/gems/camaleon_cms/CVE-2026-1776.yml @@ -0,0 +1,34 @@ +--- +gem: camaleon_cms +cve: 2026-1776 +ghsa: jw5g-f64p-6x78 +url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776 +title: Camaleon CMS vulnerable to Path Traversal through + AWS S3 uploader implementation +date: 2026-03-10 +description: | + Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, + contain a path traversal vulnerability in the AWS S3 uploader + implementation that allows authenticated users to read arbitrary + files from the web server’s filesystem. The issue occurs in the + download_private_file functionality when the application is + configured to use the CamaleonCmsAwsUploader backend. Unlike the + local uploader implementation, the AWS uploader does not validate + file paths with valid_folder_path?, allowing directory traversal + sequences to be supplied via the file parameter. As a result, any + authenticated user, including low-privileged registered users, can + access sensitive files such as /etc/passwd. This issue represents a + bypass of the incomplete fix for CVE-2024-46987 and affects + deployments using the AWS S3 storage backend. +cvss_v4: 6.0 +unaffected_versions: + - "< 2.4.5.0" +notes: 'Never patched; last release was 2.9.1' +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1776 + - https://github.com/owen2345/camaleon-cms/pull/1127 + - https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af + - https://camaleon.website + - https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read + - https://github.com/advisories/GHSA-jw5g-f64p-6x78 diff --git a/gems/sigstore/CVE-2026-31830.yml b/gems/sigstore/CVE-2026-31830.yml new file mode 100644 index 0000000000..6cafcbd124 --- /dev/null +++ b/gems/sigstore/CVE-2026-31830.yml @@ -0,0 +1,56 @@ +--- +gem: sigstore +cve: 2026-31830 +ghsa: mhg6-2q2v-9h2c +url: https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c +title: sigstore-ruby verifier returns success for DSSE bundles + with mismatched in-toto subject digest +date: 2026-03-11 +description: | + ### Summary + + `Sigstore::Verifier#verify` does not propagate the `VerificationFailure` + returned by `verify_in_toto` when the artifact digest does not match + the digest in the in-toto attestation subject. As a result, verification + of DSSE bundles containing in-toto statements returns `VerificationSuccess` + regardless of whether the artifact matches the attested subject. + + ### Details + + In `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto` + (line 176) without capturing or checking its return value: + + `verify_in_toto(input, in_toto)` + + When `verify_in_toto` detects a digest mismatch, it returns a + `VerificationFailure` object. Because the caller discards this + return value, execution unconditionally falls through to return + `VerificationSuccess`. This is the only verification sub-check in + the method (out of 12) whose failure is not propagated. + + The message_signature code path is not affected. + + ### Impact + + An attacker who possesses a valid signed DSSE bundle containing an + in-toto attestation for artifact A can present it as a valid attestation + for a different artifact B. All other verification checks (DSSE envelope + signature, certificate chain, Rekor inclusion, SCTs, policy) pass because + they are independent of the artifact content. Only the in-toto subject + digest check detects the mismatch, and its result is discarded. + + This allows an attacker to bypass artifact-to-attestation binding for + any consumer that relies on `Sigstore::Verifier#verify` to validate + DSSE/in-toto bundles. + + ### Workarounds + + None. Consumers cannot work around this without patching the library. +cvss_v3: 7.5 +patched_versions: + - ">= 0.2.3" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-31830 + - https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c + - https://github.com/advisories/GHSA-mhg6-2q2v-9h2c