Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-47mc-qmh2-mqj4] Automad arbitrary file upload vulnerability #4699

Conversation

marcantondahmen
Copy link

Updates

  • Affected products
  • CVSS
  • References
  • Severity

Comments
Dear GitHub Security Curators Team,

I, the maintainer of the affected repository, would like to correct some of the details regarding this report:

  1. In contrast to the mentioned affected versions, the vulnerability was fixed with version 2.0.0-alpha.5. The linked issue GHSA-93q8-gq69-wqmw needs updating #106 clearly states this.
  2. The release date was already June 30th, but this entry was updated last week without mentioning the fix.
  3. The vulnerability was reported as a CVE entry three weeks after the fix was released, why?
  4. The linked commit is totally unrelated.
  5. In order to exploit the vulnerability one has to an admin user. A malicious file has to be prepared and uploaded manually by the admin. Usually there is only one admin per site and that is the owner. That is relevant and should be mentioned.

@github-actions github-actions bot changed the base branch from main to marcantondahmen/advisory-improvement-4699 August 17, 2024 19:55
@advisory-database advisory-database bot merged commit 5794eae into marcantondahmen/advisory-improvement-4699 Aug 19, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @marcantondahmen! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the marcantondahmen-GHSA-47mc-qmh2-mqj4 branch August 19, 2024 21:03
@darakian
Copy link
Contributor

darakian commented Aug 19, 2024

Hey there @marcantondahmen 👋

On 1/2; sorry about that. I re-read marcantondahmen/automad#106 and you do mention that there is a fixed version. We missed that. Sorry again and it's now updated.

The vulnerability was reported as a CVE entry three weeks after the fix was released, why?

Unclear. We ingested this one from mitre so, I would guess that the reporter asked them for a CVE after you acknowledged the vuln.

The linked commit is totally unrelated.
Pulled. Let me know if there's a commit you think should be on there 👍

In order to exploit the vulnerability one has to an admin user. A malicious file has to be prepared and uploaded manually by the admin. Usually there is only one admin per site and that is the owner. That is relevant and should be mentioned.

Added some text to that effect and also dropped the severity with an altered CVSS. Apologies for all these

@marcantondahmen
Copy link
Author

Thanks for looking into this one!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants