Skip to content

Commit 33c54d2

Browse files
authored
Merge pull request #1145 from jasnow/ghsa-syncbot-2026-06-25-21_05_07
Four new advisories Thanks for @simi's reviews - LGTM
2 parents aac0866 + 768797b commit 33c54d2

4 files changed

Lines changed: 164 additions & 0 deletions

File tree

gems/css_parser/CVE-2026-53727.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
gem: css_parser
3+
cve: 2026-53727
4+
ghsa: 9pmc-p236-855h
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53727
6+
title: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`
7+
date: 2026-06-01
8+
description: |
9+
## Summary
10+
11+
CssParser::Parser#read_remote_file (and therefore load_uri!, and the
12+
@import-following branch of add_block!) issues HTTP/HTTPS requests
13+
against any host, port and URI it is handed, with no scheme allowlist,
14+
no host / IP filtering, and no protection against link-local, loopback
15+
or RFC‑1918 addresses. Location: redirects are followed recursively
16+
back into the same function, which also services file:// URIs, so a
17+
single attacker-controlled HTTP redirect upgrades the bug from SSRF
18+
to arbitrary local file disclosure.
19+
20+
In practice, any consumer of css_parser that hands it attacker‑influenced
21+
CSS together with a base_uri: option — Premailer being the canonical
22+
example — is exposed. The attacker only needs the ability to land one
23+
@import url(...) in the CSS that the host application parses.
24+
cvss_v4: 8.9
25+
unaffected_versions:
26+
- "< 2.2.0"
27+
patched_versions:
28+
- ">= 3.0.0"
29+
related:
30+
url:
31+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53727
32+
- https://rubygems.org/gems/css_parser/versions/3.0.0
33+
- https://github.com/premailer/css_parser/blob/master/CHANGELOG.md#version-300
34+
- https://github.com/premailer/css_parser/security/advisories/GHSA-9pmc-p236-855h
35+
notes: |
36+
- CVE is reserved, but not published so no cvss values.

gems/msgpack/CVE-2026-54522.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
gem: msgpack
3+
cve: 2026-54522
4+
ghsa: 4mrv-5p47-p938
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54522
6+
title: DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear
7+
Enables Cross-Buffer Disclosure
8+
date: 2026-06-09
9+
description: |
10+
## Summary
11+
12+
MessagePack::Buffer#clear shifts out every chunk and returns its
13+
4 KiB rmem page to the shared pool, but does not reset the buffer's
14+
rmem cursor (rmem_last, rmem_end, rmem_owner). The next write sees
15+
"unused rmem space" left over from the freed page and hands back a
16+
slice of memory that has already been returned to the pool. A second
17+
MessagePack::Buffer then re-acquires that same page, so reading the
18+
cleared-and-rewritten buffer discloses the second buffer's bytes — a
19+
same-process use-after-free with cross-buffer information
20+
disclosure (and the symmetric write-corruption).
21+
patched_versions:
22+
- ">= 1.8.2"
23+
related:
24+
url:
25+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54522
26+
- https://github.com/msgpack/msgpack-ruby/blob/master/ChangeLog
27+
- https://github.com/msgpack/msgpack-ruby/compare/v1.8.1...v1.8.2
28+
- https://github.com/msgpack/msgpack-ruby/security/advisories/GHSA-4mrv-5p47-p938
29+
notes: |
30+
- CVE is reserved, but not published so no cvss values.

gems/savon/CVE-2026-53510.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
gem: savon
3+
cve: 2026-53510
4+
ghsa: mx5j-mp4f-g8jg
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53510
6+
title: Savon::Model evaluates WSDL operation names as Ruby source
7+
date: 2026-06-10
8+
description: |
9+
Savon::Model generated SOAP operation methods by interpolating
10+
operation names into Ruby source passed to module_eval. An attacker
11+
who can control the operation names of a WSDL, can inject Ruby code
12+
that executes in the application process. This affects only the
13+
.all_operations class method provided by Savon::Model to automatically
14+
register all operations provided by the WSDL. Configuring Savon::Model
15+
with trusted operation names via .operations is safe.
16+
17+
Thanks to @connorshea for securely disclosing this, providing
18+
a proof and a great report.
19+
cvss_v3: 8.1
20+
unaffected_versions:
21+
- "< 0.9.8"
22+
patched_versions:
23+
- ">= 2.17.2"
24+
related:
25+
url:
26+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53510
27+
- https://github.com/savonrb/savon/releases/tag/v2.17.2
28+
- https://github.com/savonrb/savon/blob/main/CHANGELOG.md#2172---2026-06-10
29+
- https://github.com/savonrb/savon/blob/v2.17.1/lib/savon/model.rb#L30-L45
30+
- https://gist.github.com/connorshea/6cdc951abe0e1ffd2d1cc0fa7cd6b74d
31+
- https://github.com/savonrb/savon/security/advisories/GHSA-mx5j-mp4f-g8jg
32+
notes: |
33+
- Found CVE # in CHANGELOG file.
34+
- CVE is reserved, but not published so no non-GHSA cvss values.
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
---
2+
gem: secure_headers
3+
cve: 2026-54163
4+
ghsa: rqq5-2gf9-4w4q
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163
6+
title: CSP directive injection via sandbox, plugin_types, and report_to
7+
when given untrusted input
8+
date: 2026-06-3
9+
description: |
10+
## Summary
11+
12+
secure_headers builds the Content-Security-Policy value by stitching
13+
every configured directive together with ; separators. Three directive
14+
builders (build_sandbox_list_directive, build_media_type_list_directive,
15+
build_report_to_directive) interpolate caller-supplied strings into
16+
that value without scrubbing ;, \r, or \n.
17+
18+
When an application forwards untrusted input into
19+
SecureHeaders.override_content_security_policy_directives (or append_…)
20+
for :sandbox, :plugin_types, or :report_to, an attacker can embed a
21+
literal ; and inject an arbitrary CSP directive into the header value.
22+
Because :sandbox and :plugin_types both sort alphabetically before
23+
:script_src in BODY_DIRECTIVES, the injected script-src lands earlier
24+
in the header and wins under the CSP first-occurrence rule, defeating
25+
the application's real script-src. End result: an 'unsafe-inline' * policy
26+
is forced for inline <script> despite the configured strict CSP, giving
27+
full XSS reachability anywhere reflected or stored content meets one of
28+
these three sinks.
29+
30+
An existing ;/\n scrub is already present in the source-list builder
31+
(build_source_list_directive), but the three sibling builders here
32+
never received the same treatment and still emit caller bytes verbatim
33+
into the CSP value.
34+
35+
## Impact
36+
37+
Although piping untrusted input into CSP directives is generally
38+
discouraged, applications that do so for one of the three uncovered
39+
directives turn that endpoint into an XSS sink with an effective *
40+
'unsafe-inline' script-src, even though the global config says
41+
script_src: %w('self'). The same primitive can also be used to point
42+
report-to / report-uri at attacker infrastructure to silently siphon
43+
CSP violation reports — which include the violated URL, blocked-uri,
44+
source-file, line-number and a sample-snippet, useful for
45+
fingerprinting and for harvesting victim-internal URLs.
46+
47+
The global default CSP set in Configuration.default is supposed to
48+
be a backstop: even if a controller appends a single risky value,
49+
the strict script-src should remain the first match. This bug breaks
50+
that property by letting the appended value redefine the policy header
51+
upstream of the legitimate script-src.
52+
cvss_v3: 4.7
53+
patched_versions:
54+
- ">= 7.3.0"
55+
related:
56+
url:
57+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163
58+
- https://rubygems.org/gems/secure_headers/versions/7.3.0
59+
- https://github.com/github/secure_headers/releases/tag/v7.3.0
60+
- https://github.com/github/secure_headers/commit/286a79dea80c6a9be4ca93e0f284c923cf77e539
61+
- https://github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q
62+
notes: |
63+
- CVE is reserved, but not published so no cvss_v2 or cvss_v4 values.
64+
- CHANGELOG only goes to 6.5.0.

0 commit comments

Comments
 (0)