Updated advisory posts against rubysec/ruby-advisory-db@0fa2cbc

jasnow · RubySec CI · commit 6706614da6c6 · 2024-10-04T20:31:03.000Z
diff --git a/advisories/_posts/2024-10-02-CVE-2024-43795.md b/advisories/_posts/2024-10-02-CVE-2024-43795.md
@@ -0,0 +1,38 @@
+---
+layout: advisory
+title: 'CVE-2024-43795 (openc3): OpenC3 Cross-site Scripting in Login functionality
+  (`GHSL-2024-128`)'
+comments: false
+categories:
+- openc3
+advisory:
+  gem: openc3
+  cve: 2024-43795
+  ghsa: vfj8-5pj7-2f9g
+  url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g
+  title: OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)
+  date: 2024-10-02
+  description: |
+    ### Summary
+
+    The login functionality contains a reflected cross-site scripting
+    (XSS) vulnerability.
+
+    Note: This CVE only affects Open Source Edition, and not
+    OpenC3 COSMOS Enterprise Edition
+
+    ### Impact
+    This issue may lead up to Remote Code Execution (RCE).
+
+    **NOTE:** The complete advisory with much more information is added as
+    [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g#advisory-comment-104904).
+  cvss_v4: 5.1
+  patched_versions:
+  - ">= 5.19.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43795
+    - https://github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9g
+    - https://github.com/OpenC3/cosmos/commit/762d7e0e93bdc2f340b1e42acccedc78994a576e
+    - https://github.com/advisories/GHSA-vfj8-5pj7-2f9g
+---
diff --git a/advisories/_posts/2024-10-02-CVE-2024-46977.md b/advisories/_posts/2024-10-02-CVE-2024-46977.md
@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2024-46977 (openc3): OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)'
+comments: false
+categories:
+- openc3
+advisory:
+  gem: openc3
+  cve: 2024-46977
+  ghsa: 8jxr-mccc-mwg8
+  url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8
+  title: OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)
+  date: 2024-10-02
+  description: |
+    ### Summary
+
+    A path traversal vulnerability inside of `LocalMode`'s
+    `open_local_file` method allows an authenticated user with
+    adequate permissions to download any `.txt` via the
+    `ScreensController#show` on the web server COSMOS is running
+    on (depending on the file permissions).
+
+    Note: This CVE affects all OpenC3 COSMOS Editions
+
+    ### Impact
+
+    This issue may lead to Information Disclosure.
+
+    **NOTE:** The complete advisory with much more information is added as
+    [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8#advisory-comment-104903).
+  cvss_v4: 5.3
+  patched_versions:
+  - ">= 5.19.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-46977
+    - https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8
+    - https://github.com/OpenC3/cosmos/commit/a34e61aea5a465f0ab3e57d833ae7ff4cafd710b
+    - https://github.com/advisories/GHSA-8jxr-mccc-mwg8
+---
diff --git a/advisories/_posts/2024-10-02-CVE-2024-47529.md b/advisories/_posts/2024-10-02-CVE-2024-47529.md
@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2024-47529 (openc3): OpenC3 stores passwords in clear text (`GHSL-2024-129`)'
+comments: false
+categories:
+- openc3
+advisory:
+  gem: openc3
+  cve: 2024-47529
+  ghsa: 4xqv-47rm-37mm
+  url: https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm
+  title: OpenC3 stores passwords in clear text (`GHSL-2024-129`)
+  date: 2024-10-02
+  description: |
+    ### Summary
+
+    OpenC3 COSMOS stores the password of a user unencrypted in the
+    LocalStorage of a web browser. This makes the user password
+    susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).
+
+    Note: This CVE only affects Open Source edition, and not
+    OpenC3 COSMOS Enterprise Edition
+
+    ### Impact
+
+    This issue may lead to Information Disclosure.
+
+    **NOTE:** The complete advisory with much more information is added as
+    [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm#advisory-comment-104905).
+  cvss_v3: 5.9
+  cvss_v4: 4.8
+  patched_versions:
+  - ">= 5.19.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-47529
+    - https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm
+    - https://github.com/OpenC3/cosmos/commit/b5ab34fe7fa54c0c8171c4aa3caf4e03d6f63bd7
+    - https://github.com/advisories/GHSA-4xqv-47rm-37mm
+---
