hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 114 个文件 - 2026-03-19 16:45:07

浏览代码
这个提交包含在:
hao
2026-03-19 16:45:07 -07:00
父节点 2e67bff9a7
当前提交 49fe46ab89
修改 114 个文件,包含 6388 行新增1023 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

60
08-threat-intel/registry/advisories/kibana--012933e759.json 普通文件
查看文件

@@ -0,0 +1,60 @@
{
"canonical_id": "kibana--012933e759",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-19)",
"summary": "<p><strong>Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration</strong></p>\n<p>Missing Authorization (CWE-862) in Kibana\u2019s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.11</li>\n<li>9.x:\n<ul>\n<li>All versions from 9.0.0 up to and including 9.2.5</li>\n<li>Version 9.3.0</li>\n</ul>\n</li>\n</ul>\n<p><strong>Affected Configurations:</strong></p>\n<ul>\n<li>Automated response actions require the appropriate Elastic Stack subscription or Serverless project feature tier, and hosts must have Elastic Agent installed with the Elastic Defend integration.</li>\n<li>Automated response actions are not enabled by default on detection rules. A user must explicitly configure them. However, the Elastic Defend feature privileges (Host Isolation, Process Operations) are set to None by default for new roles, meaning most users should not have these privileges unless explicitly granted. The vulnerability allows users without these privileges to bypass the restriction.</li>\n<li>The Update API is only vulnerable when response actions are being added to an existing rule that does not already have any response actions. If the rule already contains response actions, the existing authorization logic was applied.</li>\n</ul>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.12, 9.2.6, 9.3.1.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>Update to the patched version as soon as possible. In the interim, restrict detection rule management privileges to users who are also authorized for endpoint response actions. Review existing rules for any unauthorized response action configurations that may have been added.</p>\n<p><strong>Indicators of Compromise (IOC)</strong></p>\n<p>Audit all detection rules for response_actions configurations containing <code>.endpoint</code> action types (isolate, kill-process, suspend-process) that may have been added by unauthorized users.</p>\n<p><strong>Elastic Cloud Serverless</strong></p>\n<p>Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.</p>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N<br>\n<strong>CVE ID</strong>: CVE-2026-26939<br>\n<strong>Problem Type:</strong> CWE-862 - Missing Authorization<br>\n<strong>Impact:</strong> Accessing Functionality Not Properly Constrained by ACLs - CAPEC-1</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:51:08 +0000",
"updated_at": "Thu, 19 Mar 2026 16:51:08 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary",
"dependency-upgrade-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

59
08-threat-intel/registry/advisories/kibana--0fcd01159e.json 普通文件
查看文件

@@ -0,0 +1,59 @@
{
"canonical_id": "kibana--0fcd01159e",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Packetbeat 8.19.11, 9.2.5 Security Update (ESA-2026-11)",
"summary": "<p><strong>Improper Validation of Array Index in Packetbeat Leading to Denial of Service</strong></p>\n<p>Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.10</li>\n<li>9.x: All versions from 9.0.0 up to and including 9.2.4</li>\n</ul>\n<p><strong>Affected Configurations:</strong><br>\nPacketbeat protocol parsing is enabled by default for configured protocols. Network traffic capture requires explicit configuration of network interfaces and protocols to monitor in packetbeat.yml. The vulnerable parsers are only active when their respective protocols are explicitly enabled in the configuration.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.11, 9.2.5.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>Network Segmentation: Ensure Packetbeat instances only monitor trusted network segments and implement network-level controls to prevent untrusted sources from sending traffic to monitored interfaces. This will reduce the likelihood of exploitation.</p>\n<p><strong>Indicators of Compromise (IOC)</strong></p>\n<ul>\n<li>Frequent panic/crash events in Packetbeat logs</li>\n<li>Error messages related to index out of range or slice bounds violations</li>\n<li>Repeated restarts of the Packetbeat process</li>\n</ul>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 5.7 ) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H<br>\n<strong>CVE ID</strong>: CVE-2026-26933<br>\n<strong>Problem Type:</strong> CWE-129 - Improper Validation of Array Index<br>\n<strong>Impact:</strong> CAPEC-153 - Input Data Manipulation</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:56:17 +0000",
"updated_at": "Thu, 19 Mar 2026 16:56:17 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

61
08-threat-intel/registry/advisories/kibana--4bfdbe9da9.json 普通文件
查看文件

@@ -0,0 +1,61 @@
{
"canonical_id": "kibana--4bfdbe9da9",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Logstash 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-06)",
"summary": "<p><strong>Sensitive Information in Resource Not Removed Before Reuse in Logstash Leading to Access to Sensitive Information</strong></p>\n<p>Dependency on Vulnerable Third-Party Component (CWE-1395) exists in org.lz4:lz4-java decompression library used by logstash-integration-kafka plugin in Logstash that could allow an attacker to access sensitive information from previous buffer contents via Input Data Manipulation (CAPEC-153). Exploitation requires the attacker to produce specially crafted, malformed compressed input to a Kafka topic consumed by Logstash, causing the decompression process to expose residual data from reused output buffers that were not cleared between operations - CVE-2025-66566.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.15.0 up to and including 8.19.9</li>\n<li>9.x:\n<ul>\n<li>All versions from 9.0.0 up to and including 9.1.9</li>\n<li>All versions from 9.2.0 up to and including 9.2.3</li>\n</ul>\n</li>\n</ul>\n<p><strong>Affected Configurations:</strong><br>\nThis vulnerability is limited to Logstash deployments that have the logstash-integration-kafka plugin configured to consume from a Kafka topic to which the attacker can publish messages. The attacker requires network access to the Kafka cluster and sufficient Kafka-level permissions (e.g., Kafka ACLs, if configured) to publish messages to the target topic.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.10, 9.1.10, 9.2.4.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>The attacker requires network access to the Kafka cluster and sufficient Kafka-level permissions (e.g., Kafka ACLs, if configured) to publish messages to the target topic.</p>\n<p>Manually update the logstash-integration-kafka plugin to version 11.8.1 or higher using: bin/logstash-plugin update logstash-integration-kafka</p>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 5.9 ) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N<br>\n<strong>CVE ID</strong>: CVE-2025-66566<br>\n<strong>Problem Type:</strong> CWE-226 - Sensitive Information in Resource Not Removed Before Reuse<br>\n<strong>Impact:</strong> CAPEC-153 - Input Data Manipulation</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/logstash-8-19-10-9-1-10-9-2-4-security-update-esa-2026-06/385531\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:53:51 +0000",
"updated_at": "Thu, 19 Mar 2026 16:53:51 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/logstash-8-19-10-9-1-10-9-2-4-security-update-esa-2026-06/385531",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary",
"plugin-extension-trust-policy",
"dependency-upgrade-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

60
08-threat-intel/registry/advisories/kibana--4d0ef3a07b.json 普通文件
查看文件

@@ -0,0 +1,60 @@
{
"canonical_id": "kibana--4d0ef3a07b",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Metricbeat 8.19.13, 9.2.5 Security Update (ESA-2026-09)",
"summary": "<p><strong>Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service</strong></p>\n<p>Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.12</li>\n<li>9.x: All versions from 9.0.0 up to and including 9.2.4</li>\n</ul>\n<p><strong>Affected Configurations:</strong><br>\nThe Prometheus <code>remote_write</code> module is not enabled by default in Metricbeat, so this issue only affects users who have enabled it.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.13, 9.2.5 .</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<ol>\n<li>Disable the remote_write module if it is not required for operations:\n<ul>\n<li>Remove or comment out the Prometheus <code>remote_write</code> configuration block in <code>metricbeat.yml</code></li>\n<li>Restart Metricbeat to apply changes</li>\n</ul>\n</li>\n<li>Restrict network access using firewall rules or network policies:\n<ul>\n<li>Limit access to the <code>remote_write</code> endpoint to trusted Prometheus server IP addresses only</li>\n<li>Use host: \"localhost\" binding if the Prometheus server runs on the same host</li>\n</ul>\n</li>\n</ol>\n<p><strong>Indicators of Compromise (IOC)</strong></p>\n<p>Log Patterns:</p>\n<ul>\n<li>Metricbeat process termination with \u201cout of memory\" messages in system logs</li>\n<li>Repeated Metricbeat crashes or restarts when the Prometheus <code>remote_write</code> module is enabled</li>\n<li>OOM events in kernel logs <code>dmesg</code> or container orchestration logs targeting the Metricbeat process</li>\n</ul>\n<p>Audit Trail Indicators:</p>\n<ul>\n<li>Sudden memory consumption spikes in Metricbeat process metrics immediately preceding process termination</li>\n<li>Network connections from unexpected or unauthorized source IP addresses to the <code>remote_write</code> endpoint port</li>\n</ul>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 5.7 ) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H<br>\n<strong>CVE ID</strong>: CVE-2026-26931<br>\n<strong>Problem Type:</strong> CWE-789 - Memory Allocation with Excessive Size Value<br>\n<strong>Impact:</strong> CAPEC-130 - Excessive Allocation</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:54:15 +0000",
"updated_at": "Thu, 19 Mar 2026 16:54:15 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

61
08-threat-intel/registry/advisories/kibana--844efe5dac.json 普通文件
查看文件

@@ -0,0 +1,61 @@
{
"canonical_id": "kibana--844efe5dac",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Kibana 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-20)",
"summary": "<p><strong>Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service</strong></p>\n<p>Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.12</li>\n<li>9.x:\n<ul>\n<li>All versions from 9.0.0 up to and including 9.2.6</li>\n<li>All versions from 9.3.0 up to and including 9.3.1</li>\n</ul>\n</li>\n</ul>\n<p><strong>Affected Configurations:</strong></p>\n<p>The Timelion visualization plugin (visTypeTimelion) is enabled by default in Kibana and is listed under \"Legacy editors\" in the documentation.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.13, 9.2.7, 9.3.2.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p><strong>Self-hosted</strong><br>\nUsers can set this property in the Kibana config YAML file <code>vis_type_timelion.enabled: false</code></p>\n<p><strong>Cloud</strong><br>\nThere are no workaround</p>\n<p><strong>Indicators of Compromise (IOC)</strong></p>\n<p>Look for JavaScript heap out of memory or FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed errors in Kibana server logs, which indicate the Node.js process crashed due to memory exhaustion.</p>\n<p><strong>Elastic Cloud Serverless</strong></p>\n<p>Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.</p>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 6.5 ) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H<br>\n<strong>CVE ID</strong>: CVE-2026-26940<br>\n<strong>Problem Type:</strong> CWE-1284 - Improper Validation of Specified Quantity in Input<br>\n<strong>Impact:</strong> CAPEC-130 - Excessive Allocation</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:59:58 +0000",
"updated_at": "Thu, 19 Mar 2026 16:59:58 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary",
"plugin-extension-trust-policy",
"dependency-upgrade-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

62
08-threat-intel/registry/advisories/kibana--ca14c406d9.json 普通文件
查看文件

@@ -0,0 +1,62 @@
{
"canonical_id": "kibana--ca14c406d9",
"system_id": "kibana",
"display_name": "Kibana",
"category": "platforms",
"advisory_mode": "core",
"title": "Elasticsearch 8.19.8, 9.1.8 Security Update (ESA-2026-18)",
"summary": "<p><strong>Deserialization of Untrusted Data in Elasticsearch Leading to Remote Code Execution</strong></p>\n<p>Dependency on Vulnerable Third-Party Component (CWE-1395) exists in PyTorch used by the machine learning model loading component in Elasticsearch that can allow an attacker to achieve remote code execution via Object Injection (CAPEC-586). Exploitation requires an attacker to have high-privileged access (the <code>machine_learning_admin</code> role) to upload and deploy a specially crafted, malicious model to the Elasticsearch cluster that triggers known vulnerabilities CVE-2025-32434.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.7</li>\n<li>9.x: All versions from 9.0.0 up to and including 9.1.7</li>\n<li>Versions 9.2.0+ were never affected</li>\n</ul>\n<p><strong>Affected Configurations:</strong></p>\n<p>The vulnerability affects Elasticsearch deployments that have ML nodes and where PyTorch-based NLP models can be uploaded and deployed.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.8, 9.1.8.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>Ensure that only trusted users are granted the machine_learning_admin role. Revoke this role from any users who do not have a legitimate need to upload or manage ML models.</p>\n<p>Disable ML entirely: If ML functionality is not required, set xpack.ml.enabled: false in elasticsearch.yml on all nodes. Note that this disables all ML features, not just PyTorch model loading.</p>\n<p>Only use models from trusted sources: As stated in the official Elastic documentation: \"PyTorch models can execute code on your Elasticsearch server, exposing your cluster to potential security vulnerabilities. Only use models from trusted sources and never use models from unverified or unknown providers.\"</p>\n<p><strong>Elastic Cloud Serverless</strong></p>\n<p>Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.</p>\n<p><strong>Severity:</strong> CVSSv3.1: High ( 7.2 ) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br>\n<strong>CVE ID</strong>: CVE-2025-32434<br>\n<strong>Problem Type:</strong> CWE-502 - Deserialization of Untrusted Data<br>\n<strong>Impact:</strong> CAPEC-586 - Object Injection</p>\n <p><small>1 post - 1 participant</small></p>\n <p><a href=\"https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534\">Read full topic</a></p>",
"published_at": "Thu, 19 Mar 2026 16:59:18 +0000",
"updated_at": "Thu, 19 Mar 2026 16:59:18 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"proxy-trust-boundary",
"file-upload-validation",
"dependency-upgrade-policy",
"deserialization-safety"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"Elastic Security Announcements RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}

83
08-threat-intel/registry/advisories/mattermost--CVE-2026-22545.json 普通文件
查看文件

@@ -0,0 +1,83 @@
{
"canonical_id": "mattermost--CVE-2026-22545",
"system_id": "mattermost",
"display_name": "Mattermost",
"category": "platforms",
"advisory_mode": "core",
"title": "Mattermost fails to validate user's authentication method when processing account auth type switch",
"summary": "Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583",
"published_at": "2026-03-16T15:30:47Z",
"updated_at": "2026-03-19T19:31:20.982512Z",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"source_confidence": "ecosystem-authority",
"official_source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
"secondary_source_urls": [
"https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218",
"https://github.com/mattermost/mattermost",
"https://mattermost.com/security-updates"
],
"aliases": [
"CVE-2026-22545",
"GHSA-rv67-7w2g-7976"
],
"cve_ids": [
"CVE-2026-22545"
],
"ghsa_ids": [
"GHSA-rv67-7w2g-7976"
],
"osv_ids": [
"GHSA-rv67-7w2g-7976"
],
"affected_versions": [
"introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988",
"introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988",
"introduced=10.11.0-rc1, fixed<10.11.11",
"introduced=11.2.0-rc1, fixed<11.2.3",
"introduced=11.3.0-rc1, fixed<11.3.1"
],
"fixed_versions": [
"8.0.0-20260127144908-ced9a56e3988",
"5.3.2-0.20260127144908-ced9a56e3988",
"10.11.11",
"11.2.3",
"11.3.1"
],
"package_name": "github.com/mattermost/mattermost-server",
"render_markdown": true,
"case_path": "07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-22545.md",
"secure_code_topics": [
"authz-server-side-recheck",
"xss-output-encoding",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Mattermost"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

3
08-threat-intel/registry/advisories/nextjs--CVE-2026-27977.json
查看文件

@@ -7,13 +7,14 @@
"title": "Next.js: null origin can bypass dev HMR websocket CSRF checks",
"summary": "## Summary\nIn `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.\n\n## Impact\nIf a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.\nApps without a configured [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) still allow connections from any origin.\n\n## Patches\nFixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Do not expose `next dev` to untrusted networks.\n- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at your proxy.",
"published_at": "2026-03-17T15:29:48Z",
"updated_at": "2026-03-17T15:46:26.028580Z",
"updated_at": "2026-03-19T18:32:38.608475Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-27977",
"https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"

3
08-threat-intel/registry/advisories/nextjs--CVE-2026-27978.json
查看文件

@@ -7,13 +7,14 @@
"title": "Next.js: null origin can bypass Server Actions CSRF checks",
"summary": "## Summary\n`origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.\n\n## Impact\nAn attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).\n\n## Patches\nFixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Add CSRF tokens for sensitive Server Actions.\n- Prefer `SameSite=Strict` on sensitive auth cookies.\n- Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.",
"published_at": "2026-03-17T15:30:14Z",
"updated_at": "2026-03-17T15:46:43.484729Z",
"updated_at": "2026-03-19T18:31:23.523529Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-27978",
"https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"

3
08-threat-intel/registry/advisories/nextjs--CVE-2026-27979.json
查看文件

@@ -7,13 +7,14 @@
"title": "Next.js: Unbounded postponed resume buffering can lead to DoS",
"summary": "## Summary\nA request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.\n\n## Impact\nIn applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.\n\n## Patches\nFixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.",
"published_at": "2026-03-17T16:16:49Z",
"updated_at": "2026-03-17T16:31:34.160932Z",
"updated_at": "2026-03-19T18:48:06.587119Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-27979",
"https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"

11
08-threat-intel/registry/advisories/nextjs--CVE-2026-27980.json
查看文件

@@ -5,15 +5,16 @@
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
"summary": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
"summary": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
"published_at": "2026-03-17T16:17:06Z",
"updated_at": "2026-03-17T16:31:33.597080Z",
"updated_at": "2026-03-19T18:47:09.413134Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-27980",
"https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
@@ -32,10 +33,12 @@
"GHSA-3x4c-7xq6-9pq8"
],
"affected_versions": [
"introduced=10.0.0, fixed<16.1.7"
"introduced=16.0.0-beta.0, fixed<16.1.7",
"introduced=10.0.0, fixed<15.5.14"
],
"fixed_versions": [
"16.1.7"
"16.1.7",
"15.5.14"
],
"package_name": "next",
"render_markdown": true,

2
08-threat-intel/registry/advisories/nextjs--CVE-2026-29057.json
查看文件

@@ -7,7 +7,7 @@
"title": "Next.js: HTTP request smuggling in rewrites",
"summary": "## Summary\nWhen Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.\n\n## Impact\nAn attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. \n\n## Patches\nThe vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency\u2019s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy.\n- Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).",
"published_at": "2026-03-17T16:17:15Z",
"updated_at": "2026-03-18T22:02:16.858114Z",
"updated_at": "2026-03-19T17:59:01.302251Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",

3975
08-threat-intel/registry/monitoring/2026-03-19T23-44-51+00-00.json 普通文件
查看文件

文件差异内容过多而无法显示 加载差异

14
08-threat-intel/registry/systems/kibana.json
查看文件

@@ -3,10 +3,10 @@
"display_name": "Kibana",
"category": "platforms",
"tier": "rolling-24m",
"total": 41,
"total": 47,
"markdown_cases": 0,
"triage_count": 0,
"latest_update": "",
"triage_count": 6,
"latest_update": "Thu, 19 Mar 2026 16:59:58 +0000",
"output_dir": "07-framework-security/platforms/kibana",
"secure_code_topics": [
"authz-server-side-recheck",
@@ -16,8 +16,14 @@
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 41,
"manual_count": 47,
"items": [
"kibana--844efe5dac",
"kibana--ca14c406d9",
"kibana--0fcd01159e",
"kibana--4d0ef3a07b",
"kibana--4bfdbe9da9",
"kibana--012933e759",
"kibana--02f2023a8a",
"kibana--082700f544",
"kibana--0e828e6029",

7
08-threat-intel/registry/systems/mattermost.json
查看文件

@@ -3,8 +3,8 @@
"display_name": "Mattermost",
"category": "platforms",
"tier": "rolling-24m",
"total": 20,
"markdown_cases": 20,
"total": 21,
"markdown_cases": 21,
"triage_count": 0,
"latest_update": "Fix Release Date",
"output_dir": "07-framework-security/platforms/mattermost",
@@ -16,9 +16,10 @@
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 20,
"manual_count": 21,
"items": [
"mattermost--Issue Identifier",
"mattermost--CVE-2026-22545",
"mattermost--CVE-2026-4265",
"mattermost--MMSA-2026-00574",
"mattermost--MMSA-2026-00603",

2
08-threat-intel/registry/systems/nextjs.json
查看文件

@@ -6,7 +6,7 @@
"total": 66,
"markdown_cases": 41,
"triage_count": 25,
"latest_update": "2026-03-18T22:02:16.858114Z",
"latest_update": "2026-03-19T18:48:06.587119Z",
"output_dir": "07-framework-security/frameworks/nextjs",
"secure_code_topics": [
"authz-server-side-recheck",

12
08-threat-intel/registry/triage/kibana--012933e759.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--012933e759",
"system_id": "kibana",
"title": "Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-19)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/kibana-8-19-12-9-2-6-9-3-1-security-update-esa-2026-19/385530"
]
}

12
08-threat-intel/registry/triage/kibana--0fcd01159e.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--0fcd01159e",
"system_id": "kibana",
"title": "Packetbeat 8.19.11, 9.2.5 Security Update (ESA-2026-11)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533"
]
}

12
08-threat-intel/registry/triage/kibana--4bfdbe9da9.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--4bfdbe9da9",
"system_id": "kibana",
"title": "Logstash 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-06)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/logstash-8-19-10-9-1-10-9-2-4-security-update-esa-2026-06/385531"
]
}

12
08-threat-intel/registry/triage/kibana--4d0ef3a07b.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--4d0ef3a07b",
"system_id": "kibana",
"title": "Metricbeat 8.19.13, 9.2.5 Security Update (ESA-2026-09)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532"
]
}

12
08-threat-intel/registry/triage/kibana--844efe5dac.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--844efe5dac",
"system_id": "kibana",
"title": "Kibana 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-20)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535"
]
}

12
08-threat-intel/registry/triage/kibana--ca14c406d9.json 普通文件
查看文件

@@ -0,0 +1,12 @@
{
"canonical_id": "kibana--ca14c406d9",
"system_id": "kibana",
"title": "Elasticsearch 8.19.8, 9.1.8 Security Update (ESA-2026-18)",
"reasons": [
"missing affected/fixed version details"
],
"candidate_count": 1,
"references": [
"https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-security-update-esa-2026-18/385534"
]
}