GHSA SYNC: 3 modified and 1 brand new advisory (#855)

jasnow · web-flow · commit 6847b4580e91 · 2025-03-04T11:21:21.000-08:00
diff --git a/gems/cgi/CVE-2025-27219.yml b/gems/cgi/CVE-2025-27219.yml
@@ -1,6 +1,7 @@
 ---
 gem: cgi
 cve: 2025-27219
+ghsa: gh9q-2xrm-x6qv
 url: https://www.cve.org/CVERecord?id=CVE-2025-27219
 title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
 date: 2025-02-26
@@ -25,6 +26,7 @@ description: |
 
   Thanks to lio346 for discovering this issue.
   Also thanks to mame for fixing this vulnerability.
+cvss_v3: 5.8
 patched_versions:
   - "~> 0.3.5.1"
   - "~> 0.3.7"
diff --git a/gems/cgi/CVE-2025-27220.yml b/gems/cgi/CVE-2025-27220.yml
@@ -1,6 +1,7 @@
 ---
 gem: cgi
 cve: 2025-27220
+ghsa: mhwm-jh88-3gjf
 url: https://www.cve.org/CVERecord?id=CVE-2025-27220
 title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.
 date: 2025-02-26
@@ -26,6 +27,7 @@ description: |
 
   Thanks to svalkanov for discovering this issue.
   Also thanks to nobu for fixing this vulnerability.
+cvss_v3: 4.0
 patched_versions:
   - "~> 0.3.5.1"
   - "~> 0.3.7"
diff --git a/gems/oxidized-web/CVE-2025-27590.yml b/gems/oxidized-web/CVE-2025-27590.yml
@@ -0,0 +1,21 @@
+---
+gem: oxidized-web
+cve: 2025-27590
+ghsa: jx6p-9c26-g373
+url: https://github.com/advisories/GHSA-jx6p-9c26-g373
+title: Oxidized Web RANCID migration page allows unauthenticated
+  user to gain control over Linux user account
+date: 2025-03-03
+description: |
+  In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID
+  migration page allows an unauthenticated user to gain control
+  over the Linux user account that is running oxidized-web.
+cvss_v3: 9.1
+patched_versions:
+  - ">= 0.15.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-27590
+    - https://github.com/ytti/oxidized-web/releases/tag/0.15.0
+    - https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
+    - https://github.com/advisories/GHSA-jx6p-9c26-g373
diff --git a/gems/uri/CVE-2025-27221.yml b/gems/uri/CVE-2025-27221.yml
@@ -1,6 +1,7 @@
 ---
 gem: uri
 cve: 2025-27221
+ghsa: 22h5-pq3x-2gf2
 url: https://www.cve.org/CVERecord?id=CVE-2025-27221
 title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
 date: 2025-02-26
@@ -29,6 +30,7 @@ description: |
 
   Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
   Also thanks to nobu for additional fixes of this vulnerability.
+cvss_v3: 3.2
 patched_versions:
   - "~> 0.11.3"
   - "~> 0.12.4"
