更新: 291 个文件 - 2026-03-23 03:00:08
这个提交包含在:
hao
@@ -0,0 +1,180 @@
|
||||
{
|
||||
"canonical_id": "caddy--CVE-2026-30851",
|
||||
"system_id": "caddy",
|
||||
"display_name": "Caddy",
|
||||
"category": "servers",
|
||||
"advisory_mode": "server",
|
||||
"title": "Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy",
|
||||
"summary": "Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation in github.com/caddyserver/caddy",
|
||||
"published_at": "2026-03-10T18:28:25Z",
|
||||
"updated_at": "2026-03-23T04:52:47.652974Z",
|
||||
"severity": "unknown",
|
||||
"cvss_score": null,
|
||||
"exploit_status": "unknown",
|
||||
"source_confidence": "official",
|
||||
"official_source_url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4",
|
||||
"secondary_source_urls": [
|
||||
"https://github.com/caddyserver/caddy/pull/6608",
|
||||
"https://github.com/caddyserver/caddy/pull/7545",
|
||||
"https://github.com/caddyserver/caddy/issues/6610"
|
||||
],
|
||||
"aliases": [
|
||||
"CVE-2026-30851",
|
||||
"GHSA-7r4p-vjf4-gxv4",
|
||||
"GO-2026-4639"
|
||||
],
|
||||
"cve_ids": [
|
||||
"CVE-2026-30851"
|
||||
],
|
||||
"ghsa_ids": [
|
||||
"GHSA-7r4p-vjf4-gxv4"
|
||||
],
|
||||
"osv_ids": [
|
||||
"GO-2026-4639"
|
||||
],
|
||||
"affected_versions": [
|
||||
"introduced=2.10.0, fixed<2.11.2"
|
||||
],
|
||||
"fixed_versions": [
|
||||
"2.11.2"
|
||||
],
|
||||
"package_name": "github.com/caddyserver/caddy/v2",
|
||||
"render_markdown": false,
|
||||
"case_path": null,
|
||||
"secure_code_topics": [
|
||||
"proxy-trust-boundary",
|
||||
"request-smuggling-boundary"
|
||||
],
|
||||
"status": "generated",
|
||||
"triage_reasons": [],
|
||||
"entity_refs": [
|
||||
{
|
||||
"entity_id": "caddy",
|
||||
"entity_type": "system",
|
||||
"relation": "root-system",
|
||||
"root_system_id": "caddy",
|
||||
"official": true
|
||||
},
|
||||
{
|
||||
"entity_id": "caddy--repo--github-com-caddyserver-caddy-v2",
|
||||
"entity_type": "repo",
|
||||
"relation": "affected-component",
|
||||
"root_system_id": "caddy",
|
||||
"official": false
|
||||
}
|
||||
],
|
||||
"affected_components": [
|
||||
{
|
||||
"name": "caddyserver / caddy / v2",
|
||||
"entity_id": "caddy--repo--github-com-caddyserver-caddy-v2",
|
||||
"scope": "repo",
|
||||
"package_name": "github.com/caddyserver/caddy/v2",
|
||||
"official": false
|
||||
}
|
||||
],
|
||||
"affected_version_ranges": [
|
||||
"introduced=2.10.0, fixed<2.11.2"
|
||||
],
|
||||
"fixed_version_ranges": [
|
||||
"2.11.2"
|
||||
],
|
||||
"introduced_version": "introduced=2.10.0, fixed<2.11.2",
|
||||
"patched_version": "2.11.2",
|
||||
"version_evidence_sources": [
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4",
|
||||
"https://github.com/caddyserver/caddy/pull/6608",
|
||||
"https://github.com/caddyserver/caddy/pull/7545",
|
||||
"https://github.com/caddyserver/caddy/issues/6610"
|
||||
],
|
||||
"affected_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--introduced-2-10-0-fixed-2-11-2"
|
||||
],
|
||||
"fixed_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--2-11-2"
|
||||
],
|
||||
"patched_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--2-11-2"
|
||||
],
|
||||
"version_sync_confidence": "high",
|
||||
"advisory_scope": "repo",
|
||||
"version_confidence": "high",
|
||||
"version_gap_reason": "",
|
||||
"version_resolution_needed": false,
|
||||
"workflow": {
|
||||
"workflow_id": "caddy--CVE-2026-30851--workflow",
|
||||
"vuln_family": "unknown",
|
||||
"entry_surface": "repo-surface",
|
||||
"preconditions": [
|
||||
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=2.10.0, fixed<2.11.2",
|
||||
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
||||
],
|
||||
"required_role": "unknown",
|
||||
"affected_version_assertion": [
|
||||
"introduced=2.10.0, fixed<2.11.2"
|
||||
],
|
||||
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"request_or_ui_path": [
|
||||
"/repo"
|
||||
],
|
||||
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
|
||||
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
|
||||
"server_evidence_points": [
|
||||
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
||||
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
||||
],
|
||||
"browser_evidence_points": [
|
||||
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
||||
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
||||
],
|
||||
"db_or_fs_evidence_points": [
|
||||
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
||||
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
||||
],
|
||||
"detection_signals": [
|
||||
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
||||
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
||||
],
|
||||
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
||||
"patch_validation_steps": [
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=2.10.0, fixed<2.11.2` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.2`\u3002",
|
||||
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
||||
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
||||
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
],
|
||||
"lab_safety_notes": [
|
||||
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
||||
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
||||
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
||||
],
|
||||
"review_state": "ready"
|
||||
},
|
||||
"verification_status": "triage-manual",
|
||||
"verification_mode": "synthetic",
|
||||
"last_verified_at": null,
|
||||
"last_run_id": null,
|
||||
"evidence_bundle": null,
|
||||
"historical_status": null,
|
||||
"latest_status": null,
|
||||
"browser_evidence": {
|
||||
"required": false,
|
||||
"present": false,
|
||||
"refs": []
|
||||
},
|
||||
"repro_profile_id": "proxy-boundary-generic",
|
||||
"artifact_mode": "synthetic",
|
||||
"blocked_reason": null,
|
||||
"metadata": {
|
||||
"source_names": [
|
||||
"OSV Caddy"
|
||||
],
|
||||
"source_kinds": [
|
||||
"osv-batch"
|
||||
],
|
||||
"candidate_count": 1,
|
||||
"entity_ref_count": 2,
|
||||
"advisory_scope": "repo",
|
||||
"version_confidence": "high",
|
||||
"workflow_id": "caddy--CVE-2026-30851--workflow"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,178 @@
|
||||
{
|
||||
"canonical_id": "caddy--CVE-2026-30852",
|
||||
"system_id": "caddy",
|
||||
"display_name": "Caddy",
|
||||
"category": "servers",
|
||||
"advisory_mode": "server",
|
||||
"title": "Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy",
|
||||
"summary": "Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy",
|
||||
"published_at": "2026-03-10T18:28:25Z",
|
||||
"updated_at": "2026-03-23T04:52:47.870034Z",
|
||||
"severity": "unknown",
|
||||
"cvss_score": null,
|
||||
"exploit_status": "unknown",
|
||||
"source_confidence": "official",
|
||||
"official_source_url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf",
|
||||
"secondary_source_urls": [
|
||||
"https://github.com/caddyserver/caddy/pull/5408",
|
||||
"https://github.com/caddyserver/caddy/releases/tag/v2.11.2"
|
||||
],
|
||||
"aliases": [
|
||||
"CVE-2026-30852",
|
||||
"GHSA-m2w3-8f23-hxxf",
|
||||
"GO-2026-4644"
|
||||
],
|
||||
"cve_ids": [
|
||||
"CVE-2026-30852"
|
||||
],
|
||||
"ghsa_ids": [
|
||||
"GHSA-m2w3-8f23-hxxf"
|
||||
],
|
||||
"osv_ids": [
|
||||
"GO-2026-4644"
|
||||
],
|
||||
"affected_versions": [
|
||||
"introduced=2.7.5, fixed<2.11.2"
|
||||
],
|
||||
"fixed_versions": [
|
||||
"2.11.2"
|
||||
],
|
||||
"package_name": "github.com/caddyserver/caddy/v2",
|
||||
"render_markdown": false,
|
||||
"case_path": null,
|
||||
"secure_code_topics": [
|
||||
"proxy-trust-boundary",
|
||||
"request-smuggling-boundary"
|
||||
],
|
||||
"status": "generated",
|
||||
"triage_reasons": [],
|
||||
"entity_refs": [
|
||||
{
|
||||
"entity_id": "caddy",
|
||||
"entity_type": "system",
|
||||
"relation": "root-system",
|
||||
"root_system_id": "caddy",
|
||||
"official": true
|
||||
},
|
||||
{
|
||||
"entity_id": "caddy--repo--github-com-caddyserver-caddy-v2",
|
||||
"entity_type": "repo",
|
||||
"relation": "affected-component",
|
||||
"root_system_id": "caddy",
|
||||
"official": false
|
||||
}
|
||||
],
|
||||
"affected_components": [
|
||||
{
|
||||
"name": "caddyserver / caddy / v2",
|
||||
"entity_id": "caddy--repo--github-com-caddyserver-caddy-v2",
|
||||
"scope": "repo",
|
||||
"package_name": "github.com/caddyserver/caddy/v2",
|
||||
"official": false
|
||||
}
|
||||
],
|
||||
"affected_version_ranges": [
|
||||
"introduced=2.7.5, fixed<2.11.2"
|
||||
],
|
||||
"fixed_version_ranges": [
|
||||
"2.11.2"
|
||||
],
|
||||
"introduced_version": "introduced=2.7.5, fixed<2.11.2",
|
||||
"patched_version": "2.11.2",
|
||||
"version_evidence_sources": [
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf",
|
||||
"https://github.com/caddyserver/caddy/pull/5408",
|
||||
"https://github.com/caddyserver/caddy/releases/tag/v2.11.2"
|
||||
],
|
||||
"affected_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--introduced-2-7-5-fixed-2-11-2"
|
||||
],
|
||||
"fixed_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--2-11-2"
|
||||
],
|
||||
"patched_version_refs": [
|
||||
"caddy--repo--github-com-caddyserver-caddy-v2--2-11-2"
|
||||
],
|
||||
"version_sync_confidence": "high",
|
||||
"advisory_scope": "repo",
|
||||
"version_confidence": "high",
|
||||
"version_gap_reason": "",
|
||||
"version_resolution_needed": false,
|
||||
"workflow": {
|
||||
"workflow_id": "caddy--CVE-2026-30852--workflow",
|
||||
"vuln_family": "unknown",
|
||||
"entry_surface": "repo-surface",
|
||||
"preconditions": [
|
||||
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=2.7.5, fixed<2.11.2",
|
||||
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
||||
],
|
||||
"required_role": "unknown",
|
||||
"affected_version_assertion": [
|
||||
"introduced=2.7.5, fixed<2.11.2"
|
||||
],
|
||||
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"request_or_ui_path": [
|
||||
"/repo"
|
||||
],
|
||||
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
|
||||
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
|
||||
"server_evidence_points": [
|
||||
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
||||
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
||||
],
|
||||
"browser_evidence_points": [
|
||||
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
||||
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
||||
],
|
||||
"db_or_fs_evidence_points": [
|
||||
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
||||
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
||||
],
|
||||
"detection_signals": [
|
||||
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
||||
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
||||
],
|
||||
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
||||
"patch_validation_steps": [
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=2.7.5, fixed<2.11.2` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.2`\u3002",
|
||||
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
||||
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
||||
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
],
|
||||
"lab_safety_notes": [
|
||||
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
||||
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
||||
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
||||
],
|
||||
"review_state": "ready"
|
||||
},
|
||||
"verification_status": "triage-manual",
|
||||
"verification_mode": "synthetic",
|
||||
"last_verified_at": null,
|
||||
"last_run_id": null,
|
||||
"evidence_bundle": null,
|
||||
"historical_status": null,
|
||||
"latest_status": null,
|
||||
"browser_evidence": {
|
||||
"required": false,
|
||||
"present": false,
|
||||
"refs": []
|
||||
},
|
||||
"repro_profile_id": "proxy-boundary-generic",
|
||||
"artifact_mode": "synthetic",
|
||||
"blocked_reason": null,
|
||||
"metadata": {
|
||||
"source_names": [
|
||||
"OSV Caddy"
|
||||
],
|
||||
"source_kinds": [
|
||||
"osv-batch"
|
||||
],
|
||||
"candidate_count": 1,
|
||||
"entity_ref_count": 2,
|
||||
"advisory_scope": "repo",
|
||||
"version_confidence": "high",
|
||||
"workflow_id": "caddy--CVE-2026-30852--workflow"
|
||||
}
|
||||
}
|
||||
文件差异因一行或多行过长而隐藏
@@ -4,24 +4,24 @@
|
||||
"display_name": "Traefik",
|
||||
"category": "servers",
|
||||
"advisory_mode": "server",
|
||||
"title": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS)",
|
||||
"summary": "## Impact\n\nThere is a potential vulnerability in Traefik managing TLS handshake on TCP routers.\n\nWhen Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open.\n\nBy opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.38\n- https://github.com/traefik/traefik/releases/tag/v3.6.9\n\n## Workarounds\n\nNo workaround available.\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n<details>\n<summary>Original Description</summary>\n\nTraefik's TCP router uses a connection-level read deadline to bound protocol sniffing (peeking a TLS client hello), but then clears the deadline via conn.SetDeadline(time.Time{}) before delegating the connection to TLS forwarding.\n\nA remote unauthenticated client can send an incomplete TLS record header and stop sending data. After the initial peek times out, the router clears the deadline and the subsequent TLS handshake reads can stall indefinitely, holding connections open and consuming resources.\n\n### Expected vs Actual\n\nExpected: if an entrypoint-level read deadline is used to bound initial protocol sniffing, TLS handshake reads should remain bounded by a deadline (either the same deadline is preserved, or a dedicated handshake timeout is enforced).\n\nActual: after protocol sniffing the router clears the connection deadline and delegates to TLS handling; an attacker can keep the TLS handshake stalled beyond the configured read timeout.\n\n### Severity\n\nHIGH\nCWE: CWE-400 (Uncontrolled Resource Consumption)\n\n### Affected Code\n\n- pkg/server/router/tcp/router.go: (*Router).ServeTCP clears the deadline before TLS forwarding\n- conn.SetDeadline(time.Time{}) removes the entrypoint-level deadline that previously bounded reads\n\n### Root Cause\n\nIn (*Router).ServeTCP, after sniffing a TLS client hello, the router removes the connection read deadline:\n\n // Remove read/write deadline and delegate this to underlying TCP server\n // (for now only handled by HTTP Server)\n if err := conn.SetDeadline(time.Time{}); err != nil {\n ...\n }\n\nTLS handshake reads that happen after this point are not guaranteed to have any deadline, so a client that stops sending bytes can keep the connection open indefinitely.\n\n### Attacker Control\n\nAttacker-controlled input is the raw TCP byte stream on an entrypoint that routes to a TLS forwarder. The attacker controls:\n\n1. Sending a partial TLS record header (enough to trigger the TLS sniffing path)\n2. Stopping further sends so the subsequent handshake read blocks\n\n### Impact\n\nEach stalled connection occupies file descriptors and goroutines (and may consume additional memory depending on buffering). By opening many such connections in parallel, an attacker can cause resource exhaustion and degrade availability.\n\n### Reproduction\n\nAttachments include poc.zip with a self-contained integration harness. It pins the repository commit, applies fix.patch as the control variant, and runs a regression-style test that demonstrates the stall in canonical mode and the timeout in control mode.\n\nRun canonical (vulnerable):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nCanonical output excerpt: PROOF_MARKER\n\nRun control (deadline preserved / no stall):\n\n unzip poc.zip -d poc\n cd poc\n make control\n\nControl output excerpt: NC_MARKER\n\n### Recommended Fix\n\nDo not clear the entrypoint-level deadline prior to completing TLS handshake, or enforce a dedicated handshake timeout for the TLS forwarder path.\n\nFix accepted when: an incomplete TLS record cannot stall past the configured entrypoint-level read deadline (or an explicit handshake timeout), and a regression test covers the canonical/control behavior.\n\n</details>",
|
||||
"published_at": "2026-03-04T18:29:09Z",
|
||||
"updated_at": "2026-03-05T22:46:34.795238Z",
|
||||
"severity": "low",
|
||||
"cvss_score": 3.1,
|
||||
"title": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) in github.com/traefik/traefik",
|
||||
"summary": "Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) in github.com/traefik/traefik",
|
||||
"published_at": "2026-03-10T18:28:10Z",
|
||||
"updated_at": "2026-03-23T04:53:12.548643Z",
|
||||
"severity": "unknown",
|
||||
"cvss_score": null,
|
||||
"exploit_status": "unknown",
|
||||
"source_confidence": "official",
|
||||
"official_source_url": "https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94",
|
||||
"secondary_source_urls": [
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-26999",
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.38",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.9"
|
||||
],
|
||||
"aliases": [
|
||||
"CVE-2026-26999",
|
||||
"GHSA-xw98-5q62-jx94"
|
||||
"GHSA-xw98-5q62-jx94",
|
||||
"GO-2026-4594"
|
||||
],
|
||||
"cve_ids": [
|
||||
"CVE-2026-26999"
|
||||
@@ -30,9 +30,10 @@
|
||||
"GHSA-xw98-5q62-jx94"
|
||||
],
|
||||
"osv_ids": [
|
||||
"GHSA-xw98-5q62-jx94"
|
||||
"GO-2026-4594"
|
||||
],
|
||||
"affected_versions": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.38",
|
||||
"introduced=0, fixed<3.6.9"
|
||||
],
|
||||
@@ -45,8 +46,7 @@
|
||||
"case_path": null,
|
||||
"secure_code_topics": [
|
||||
"proxy-trust-boundary",
|
||||
"request-smuggling-boundary",
|
||||
"dependency-upgrade-policy"
|
||||
"request-smuggling-boundary"
|
||||
],
|
||||
"status": "generated",
|
||||
"triage_reasons": [],
|
||||
@@ -76,6 +76,7 @@
|
||||
}
|
||||
],
|
||||
"affected_version_ranges": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.38",
|
||||
"introduced=0, fixed<3.6.9"
|
||||
],
|
||||
@@ -88,11 +89,11 @@
|
||||
"version_evidence_sources": [
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-xw98-5q62-jx94",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-26999",
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.38",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.9"
|
||||
],
|
||||
"affected_version_refs": [
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-2-11-38",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-3-6-9"
|
||||
],
|
||||
@@ -110,26 +111,25 @@
|
||||
"version_resolution_needed": false,
|
||||
"workflow": {
|
||||
"workflow_id": "traefik--CVE-2026-26999--workflow",
|
||||
"vuln_family": "file-upload",
|
||||
"entry_surface": "upload-or-import-surface",
|
||||
"vuln_family": "unknown",
|
||||
"entry_surface": "repo-surface",
|
||||
"preconditions": [
|
||||
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<2.11.38, introduced=0, fixed<3.6.9",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, introduced=0, fixed<2.11.38, introduced=0, fixed<3.6.9",
|
||||
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
||||
],
|
||||
"required_role": "authenticated-uploader",
|
||||
"required_role": "unknown",
|
||||
"affected_version_assertion": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.38",
|
||||
"introduced=0, fixed<3.6.9"
|
||||
],
|
||||
"trigger_vector": "\u5bf9 `file-upload` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"request_or_ui_path": [
|
||||
"/upload",
|
||||
"/import",
|
||||
"/plugin/install"
|
||||
"/repo"
|
||||
],
|
||||
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u975e\u6267\u884c\u6837\u672c\uff0c\u9a8c\u8bc1\u6269\u5c55\u540d\u3001MIME\u3001\u843d\u76d8\u4e0e\u6267\u884c\u6743\u9650\u3002",
|
||||
"expected_unsafe_behavior": "\u4e0a\u4f20\u6837\u672c\u88ab\u9519\u8bef\u63a5\u53d7\u3001\u53ef\u8bbf\u95ee\u6216\u4f4d\u4e8e\u53ef\u6267\u884c\u8def\u5f84\u3002",
|
||||
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
|
||||
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
|
||||
"server_evidence_points": [
|
||||
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
||||
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
||||
@@ -148,10 +148,10 @@
|
||||
],
|
||||
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
||||
"patch_validation_steps": [
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<2.11.38, introduced=0, fixed<3.6.9` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.38`\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, introduced=0, fixed<2.11.38, introduced=0, fixed<3.6.9` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.38`\u3002",
|
||||
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
||||
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
||||
"\u8865\u5145 `file-upload` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
],
|
||||
"lab_safety_notes": [
|
||||
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
||||
@@ -172,7 +172,7 @@
|
||||
"present": false,
|
||||
"refs": []
|
||||
},
|
||||
"repro_profile_id": "file-upload-generic",
|
||||
"repro_profile_id": "proxy-boundary-generic",
|
||||
"artifact_mode": "synthetic",
|
||||
"blocked_reason": null,
|
||||
"metadata": {
|
||||
|
||||
@@ -4,24 +4,24 @@
|
||||
"display_name": "Traefik",
|
||||
"category": "servers",
|
||||
"advisory_mode": "server",
|
||||
"title": "traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)",
|
||||
"summary": "## Impact\n\nThere is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.\n\nWhen Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed `X-Forwarded` headers (such as `X-Real-Ip`, `X-Forwarded-Host`, `X-Forwarded-Port`, etc.) via the `Connection` header does not handle case sensitivity correctly. The `Connection` tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase `Connection` tokens (e.g. `Connection: x-real-ip`) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers.\n\nThis is a bypass of the fix for [CVE-2024-45410](https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv).\n\nDepending on the deployment, the impact may be higher if downstream services rely on these headers (such as `X-Real-Ip` or `X-Forwarded-*`) for authentication, authorization, routing, or scheme decisions.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.38\n- https://github.com/traefik/traefik/releases/tag/v3.6.9\n\n## Workarounds\n\nNo workaround available.\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n<details>\n<summary>Original Description</summary>\n\nTraefik's XForwarded middleware (removeConnectionHeaders) tries to prevent clients from using the Connection header to strip trusted X-Forwarded-* headers, but the protection compares the Connection tokens case-sensitively while the deletion is case-insensitive.\n\nAs a result, a remote unauthenticated client can send a lowercase token like Connection: x-real-ip and still trigger deletion of traefik-managed X-Real-Ip (and similarly named headers in the managed list).\n\nThis can cause downstream routing, scheme, and header-based authn/authz decisions to be evaluated with missing trusted forwarding identity headers.\n\n### Severity\n\nCRITICAL\n\nRationale: the PoC demonstrates an end-to-end access control bypass pattern when a downstream service uses proxy-provided identity headers (for example, X-Real-Ip) for IP allowlists or trust decisions. A remote unauthenticated client can strip the traefik-managed identity header via a lowercase Connection token, causing the downstream service to evaluate the request without the expected header signal.\n\n### Relevant Links\n\n- Repository: https://github.com/traefik/traefik\n- Pinned commit: a4a91344edcdd6276c1b766ca19ee3f0e346480f\n- Callsite (pinned): https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/middlewares/forwardedheaders/forwarded_header.go#L225\n\n### Vulnerability Details\n\n#### Root Cause\n\nremoveConnectionHeaders uses a case-sensitive membership check for protected header names when inspecting Connection tokens, but it deletes headers via net/http which treats header names case-insensitively. A lowercase token bypasses the protection check and still triggers deletion.\n\n#### Attacker Control / Attack Path\n\nRemote unauthenticated HTTP client (untrusted IP) sends Connection: x-real-ip, and Traefik deletes the generated X-Real-Ip header.\n\n### Proof of Concept\n\nThe attached poc.zip contains a deterministic, make-based integration PoC with a canonical run and a negative control.\n\nCanonical (vulnerable):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nOutput contains:\n\n [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225\n [PROOF_MARKER]: downstream_admin_bypass=1 x_real_ip_present=0\n\nControl (same env, no lowercase token):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nOutput contains:\n\n [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225\n [NC_MARKER]: downstream_admin_bypass=0 x_real_ip_present=1\n\nExpected: Connection tokens are handled case-insensitively and protected identity headers (for example, X-Real-Ip and X-Forwarded-*) are not deleted due to client-supplied Connection options (regardless of token casing).\n\nActual: Lowercase Connection tokens bypass the protection check and still trigger deletion of traefik-managed identity headers (for example, X-Real-Ip).\n\n### Recommended Fix\n\n- Case-fold (or otherwise canonicalize) Connection header tokens before comparing them against protected header names.\n- Add a regression test covering lowercase tokens (for example, Connection: x-real-ip).\n\nFix accepted when: a request with Connection: x-real-ip does not cause deletion of traefik-managed X-Real-Ip, and a regression test covers this behavior.\n\n</details>",
|
||||
"published_at": "2026-03-04T21:19:08Z",
|
||||
"updated_at": "2026-03-05T22:46:31.066201Z",
|
||||
"severity": "low",
|
||||
"cvss_score": 3.1,
|
||||
"title": "traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik",
|
||||
"summary": "traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik",
|
||||
"published_at": "2026-03-10T18:28:10Z",
|
||||
"updated_at": "2026-03-23T04:53:13.381024Z",
|
||||
"severity": "unknown",
|
||||
"cvss_score": null,
|
||||
"exploit_status": "unknown",
|
||||
"source_confidence": "official",
|
||||
"official_source_url": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52",
|
||||
"secondary_source_urls": [
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-29054",
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.38",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.9"
|
||||
],
|
||||
"aliases": [
|
||||
"CVE-2026-29054",
|
||||
"GHSA-92mv-8f8w-wq52"
|
||||
"GHSA-92mv-8f8w-wq52",
|
||||
"GO-2026-4597"
|
||||
],
|
||||
"cve_ids": [
|
||||
"CVE-2026-29054"
|
||||
@@ -30,9 +30,10 @@
|
||||
"GHSA-92mv-8f8w-wq52"
|
||||
],
|
||||
"osv_ids": [
|
||||
"GHSA-92mv-8f8w-wq52"
|
||||
"GO-2026-4597"
|
||||
],
|
||||
"affected_versions": [
|
||||
"introduced=0",
|
||||
"introduced=2.11.9, fixed<2.11.38",
|
||||
"introduced=3.1.3, fixed<3.6.9"
|
||||
],
|
||||
@@ -46,9 +47,7 @@
|
||||
"secure_code_topics": [
|
||||
"proxy-trust-boundary",
|
||||
"request-smuggling-boundary",
|
||||
"token-cookie-storage",
|
||||
"authz-server-side-recheck",
|
||||
"dependency-upgrade-policy"
|
||||
"token-cookie-storage"
|
||||
],
|
||||
"status": "generated",
|
||||
"triage_reasons": [],
|
||||
@@ -78,6 +77,7 @@
|
||||
}
|
||||
],
|
||||
"affected_version_ranges": [
|
||||
"introduced=0",
|
||||
"introduced=2.11.9, fixed<2.11.38",
|
||||
"introduced=3.1.3, fixed<3.6.9"
|
||||
],
|
||||
@@ -90,11 +90,11 @@
|
||||
"version_evidence_sources": [
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-29054",
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.38",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.9"
|
||||
],
|
||||
"affected_version_refs": [
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-2-11-9-fixed-2-11-38",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-3-1-3-fixed-3-6-9"
|
||||
],
|
||||
@@ -112,26 +112,27 @@
|
||||
"version_resolution_needed": false,
|
||||
"workflow": {
|
||||
"workflow_id": "traefik--CVE-2026-29054--workflow",
|
||||
"vuln_family": "authz-bypass",
|
||||
"entry_surface": "privileged-route-or-object-reference",
|
||||
"vuln_family": "session-token",
|
||||
"entry_surface": "session-or-token-processing",
|
||||
"preconditions": [
|
||||
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=2.11.9, fixed<2.11.38, introduced=3.1.3, fixed<3.6.9",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, introduced=2.11.9, fixed<2.11.38, introduced=3.1.3, fixed<3.6.9",
|
||||
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
||||
],
|
||||
"required_role": "cross-tenant-or-low-privileged-user",
|
||||
"required_role": "authenticated-user",
|
||||
"affected_version_assertion": [
|
||||
"introduced=0",
|
||||
"introduced=2.11.9, fixed<2.11.38",
|
||||
"introduced=3.1.3, fixed<3.6.9"
|
||||
],
|
||||
"trigger_vector": "\u5bf9 `authz-bypass` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"trigger_vector": "\u5bf9 `session-token` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"request_or_ui_path": [
|
||||
"/admin/*",
|
||||
"/api/private/*",
|
||||
"/tenant/*"
|
||||
"/login",
|
||||
"/callback",
|
||||
"/session"
|
||||
],
|
||||
"input_shape": "\u4f7f\u7528\u4f4e\u6743\u9650\u8eab\u4efd\u8bbf\u95ee\u9ad8\u6743\u9650\u5bf9\u8c61\u6216\u8de8\u79df\u6237\u8d44\u6e90\u3002",
|
||||
"expected_unsafe_behavior": "\u4f4e\u6743\u9650\u8eab\u4efd\u53ef\u8bbf\u95ee\u672c\u4e0d\u5e94\u53ef\u89c1\u7684\u6570\u636e\u6216\u64cd\u4f5c\u3002",
|
||||
"input_shape": "\u4f7f\u7528\u77ed\u671f\u6d4b\u8bd5\u4ee4\u724c\u6216\u4f1a\u8bdd\uff0c\u9a8c\u8bc1\u751f\u547d\u5468\u671f\u3001\u7ed1\u5b9a\u4e0e\u5931\u6548\u903b\u8f91\u3002",
|
||||
"expected_unsafe_behavior": "\u4ee4\u724c\u6216\u4f1a\u8bdd\u53ef\u88ab\u91cd\u653e\u3001\u56fa\u5b9a\u6216\u8d8a\u6743\u4f7f\u7528\u3002",
|
||||
"server_evidence_points": [
|
||||
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
||||
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
||||
@@ -150,10 +151,10 @@
|
||||
],
|
||||
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
||||
"patch_validation_steps": [
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=2.11.9, fixed<2.11.38, introduced=3.1.3, fixed<3.6.9` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.38`\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, introduced=2.11.9, fixed<2.11.38, introduced=3.1.3, fixed<3.6.9` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.38`\u3002",
|
||||
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
||||
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
||||
"\u8865\u5145 `authz-bypass` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
"\u8865\u5145 `session-token` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
],
|
||||
"lab_safety_notes": [
|
||||
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
||||
@@ -174,7 +175,7 @@
|
||||
"present": false,
|
||||
"refs": []
|
||||
},
|
||||
"repro_profile_id": "authz-bypass-generic",
|
||||
"repro_profile_id": "proxy-boundary-generic",
|
||||
"artifact_mode": "synthetic",
|
||||
"blocked_reason": null,
|
||||
"metadata": {
|
||||
|
||||
文件差异因一行或多行过长而隐藏
@@ -4,31 +4,32 @@
|
||||
"display_name": "Traefik",
|
||||
"category": "servers",
|
||||
"advisory_mode": "server",
|
||||
"title": "Traefik: HTTP/2 frames can cause a running server to panic",
|
||||
"summary": "## Summary\n\nMore Details:\n- https://nvd.nist.gov/vuln/detail/CVE-2026-27141\n- https://pkg.go.dev/golang.org/x/net/http2?tab=versions\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.10\n- https://github.com/traefik/traefik/releases/tag/v2.11.40\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
|
||||
"published_at": "2026-03-12T14:48:02Z",
|
||||
"updated_at": "2026-03-14T03:09:48.127568Z",
|
||||
"severity": "medium",
|
||||
"cvss_score": 4.0,
|
||||
"title": "Traefik: HTTP/2 frames can cause a running server to panic in github.com/traefik/traefik",
|
||||
"summary": "Traefik: HTTP/2 frames can cause a running server to panic in github.com/traefik/traefik",
|
||||
"published_at": "2026-03-12T20:57:37Z",
|
||||
"updated_at": "2026-03-23T04:52:55.119301Z",
|
||||
"severity": "unknown",
|
||||
"cvss_score": null,
|
||||
"exploit_status": "unknown",
|
||||
"source_confidence": "official",
|
||||
"official_source_url": "https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j",
|
||||
"secondary_source_urls": [
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.40",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.10"
|
||||
],
|
||||
"aliases": [
|
||||
"GHSA-4hjq-9h5c-252j"
|
||||
"GHSA-4hjq-9h5c-252j",
|
||||
"GO-2026-4684"
|
||||
],
|
||||
"cve_ids": [],
|
||||
"ghsa_ids": [
|
||||
"GHSA-4hjq-9h5c-252j"
|
||||
],
|
||||
"osv_ids": [
|
||||
"GHSA-4hjq-9h5c-252j"
|
||||
"GO-2026-4684"
|
||||
],
|
||||
"affected_versions": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.40",
|
||||
"introduced=0, fixed<3.6.10"
|
||||
],
|
||||
@@ -41,8 +42,7 @@
|
||||
"case_path": null,
|
||||
"secure_code_topics": [
|
||||
"proxy-trust-boundary",
|
||||
"request-smuggling-boundary",
|
||||
"dependency-upgrade-policy"
|
||||
"request-smuggling-boundary"
|
||||
],
|
||||
"status": "generated",
|
||||
"triage_reasons": [],
|
||||
@@ -72,6 +72,7 @@
|
||||
}
|
||||
],
|
||||
"affected_version_ranges": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.40",
|
||||
"introduced=0, fixed<3.6.10"
|
||||
],
|
||||
@@ -83,11 +84,11 @@
|
||||
"patched_version": "2.11.40",
|
||||
"version_evidence_sources": [
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j",
|
||||
"https://github.com/traefik/traefik",
|
||||
"https://github.com/traefik/traefik/releases/tag/v2.11.40",
|
||||
"https://github.com/traefik/traefik/releases/tag/v3.6.10"
|
||||
],
|
||||
"affected_version_refs": [
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-2-11-40",
|
||||
"traefik--repo--github-com-traefik-traefik-v3--introduced-0-fixed-3-6-10"
|
||||
],
|
||||
@@ -105,25 +106,25 @@
|
||||
"version_resolution_needed": false,
|
||||
"workflow": {
|
||||
"workflow_id": "traefik--GHSA-4hjq-9h5c-252j--workflow",
|
||||
"vuln_family": "proxy-boundary",
|
||||
"entry_surface": "proxy-header-or-trust-boundary",
|
||||
"vuln_family": "unknown",
|
||||
"entry_surface": "repo-surface",
|
||||
"preconditions": [
|
||||
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, fixed<2.11.40, introduced=0, fixed<3.6.10",
|
||||
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=0, introduced=0, fixed<2.11.40, introduced=0, fixed<3.6.10",
|
||||
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `repo`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
||||
],
|
||||
"required_role": "reverse-proxy-or-edge-client",
|
||||
"required_role": "unknown",
|
||||
"affected_version_assertion": [
|
||||
"introduced=0",
|
||||
"introduced=0, fixed<2.11.40",
|
||||
"introduced=0, fixed<3.6.10"
|
||||
],
|
||||
"trigger_vector": "\u5bf9 `proxy-boundary` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"trigger_vector": "\u5bf9 `unknown` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
||||
"request_or_ui_path": [
|
||||
"/middleware",
|
||||
"/x-forwarded-* trust path"
|
||||
"/repo"
|
||||
],
|
||||
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u4ee3\u7406\u5934\u6216\u6765\u6e90\u5934\uff0c\u9a8c\u8bc1\u4fe1\u4efb\u8fb9\u754c\u548c\u56de\u6e90\u9274\u6743\u3002",
|
||||
"expected_unsafe_behavior": "\u4ec5\u51ed\u4ee3\u7406\u5934\u5373\u53ef\u8d8a\u8fc7\u9274\u6743\u6216\u6765\u6e90\u63a7\u5236\u3002",
|
||||
"input_shape": "\u63d0\u4ea4\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\u3002",
|
||||
"expected_unsafe_behavior": "\u76ee\u6807\u8868\u73b0\u51fa\u8d85\u51fa\u8bbe\u8ba1\u8fb9\u754c\u7684\u884c\u4e3a\u3002",
|
||||
"server_evidence_points": [
|
||||
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
||||
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
||||
@@ -138,15 +139,14 @@
|
||||
],
|
||||
"detection_signals": [
|
||||
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
||||
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6",
|
||||
"\u4e0a\u6e38\u4ee3\u7406\u4e0e\u5e94\u7528\u5c42\u5bf9 Content-Length / Transfer-Encoding / forwarded headers \u7684\u89e3\u91ca\u5dee\u5f02"
|
||||
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
||||
],
|
||||
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
||||
"patch_validation_steps": [
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, fixed<2.11.40, introduced=0, fixed<3.6.10` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.40`\u3002",
|
||||
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=0, introduced=0, fixed<2.11.40, introduced=0, fixed<3.6.10` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `2.11.40`\u3002",
|
||||
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
||||
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
||||
"\u8865\u5145 `proxy-boundary` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
"\u8865\u5145 `unknown` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
||||
],
|
||||
"lab_safety_notes": [
|
||||
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 18,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 18,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 1,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Apache HTTPD Security"
|
||||
],
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Apache Tomcat Security"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723",
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 26,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 30,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g"
|
||||
|
||||
@@ -18,14 +18,18 @@
|
||||
"latest_release_url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
|
||||
"version_source_refs": [
|
||||
"https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4"
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4"
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"security_version_count": 5,
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4"
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf",
|
||||
"https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4"
|
||||
],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
@@ -35,17 +39,19 @@
|
||||
"history_backfill_status": "complete",
|
||||
"latest_sync_status": "green",
|
||||
"official_source_covered": true,
|
||||
"advisory_count": 5,
|
||||
"workflow_complete_advisory_count": 5,
|
||||
"version_mapped_advisory_count": 5,
|
||||
"advisory_count": 7,
|
||||
"workflow_complete_advisory_count": 7,
|
||||
"version_mapped_advisory_count": 7,
|
||||
"first_advisory_at": "2026-02-24T20:16:55+00:00",
|
||||
"latest_advisory_at": "2026-02-27T19:54:36+00:00",
|
||||
"latest_advisory_at": "2026-03-23T04:52:47+00:00",
|
||||
"advisory_ids": [
|
||||
"caddy--CVE-2026-27585",
|
||||
"caddy--CVE-2026-27586",
|
||||
"caddy--CVE-2026-27587",
|
||||
"caddy--CVE-2026-27588",
|
||||
"caddy--CVE-2026-27589"
|
||||
"caddy--CVE-2026-27589",
|
||||
"caddy--CVE-2026-30851",
|
||||
"caddy--CVE-2026-30852"
|
||||
],
|
||||
"source_refs": []
|
||||
}
|
||||
|
||||
@@ -18,8 +18,8 @@
|
||||
"latest_release_url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2",
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"security_version_count": 7,
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
@@ -29,11 +29,11 @@
|
||||
"history_backfill_status": "seeded",
|
||||
"latest_sync_status": "green",
|
||||
"official_source_covered": true,
|
||||
"advisory_count": 27,
|
||||
"workflow_complete_advisory_count": 27,
|
||||
"version_mapped_advisory_count": 6,
|
||||
"advisory_count": 29,
|
||||
"workflow_complete_advisory_count": 29,
|
||||
"version_mapped_advisory_count": 8,
|
||||
"first_advisory_at": "2026-02-24T20:16:55+00:00",
|
||||
"latest_advisory_at": "2026-02-27T19:55:10+00:00",
|
||||
"latest_advisory_at": "2026-03-23T04:52:47+00:00",
|
||||
"advisory_ids": [
|
||||
"caddy--0158a8ddd8",
|
||||
"caddy--0921003cc6",
|
||||
@@ -54,6 +54,8 @@
|
||||
"caddy--CVE-2026-27588",
|
||||
"caddy--CVE-2026-27589",
|
||||
"caddy--CVE-2026-27590",
|
||||
"caddy--CVE-2026-30851",
|
||||
"caddy--CVE-2026-30852",
|
||||
"caddy--ade36bbb20",
|
||||
"caddy--c52981f5e2",
|
||||
"caddy--cf9582f72a",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 1,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"Directus GitHub Advisories"
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 1,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Directus GitHub Advisories"
|
||||
],
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 78,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Discourse Release Notes RSS",
|
||||
"Discourse Security RSS"
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 160,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
|
||||
|
||||
@@ -38,7 +38,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 160,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Django Security Weblog",
|
||||
"Django Security Releases Archive"
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 74,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Drupal Security Advisories RSS"
|
||||
],
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://github.com/labstack/echo/pull/1718",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 22,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 22,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Ghost GitHub Advisories"
|
||||
],
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 614,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitLab Security Releases Atom"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://www.npmjs.com/advisories/1482"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 1,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"HAProxy Blog Feed"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 5,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Joomla Security Centre"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 103,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Packagist p2",
|
||||
"https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 103,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 3,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"Sansec Research"
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 3,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Sansec Research"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 759,
|
||||
"last_version_synced_at": "2026-03-22T09:18:38+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:56+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Mattermost Security Updates JSON",
|
||||
"https://securityupdates.mattermost.com/security_updates.json"
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 756,
|
||||
"last_version_synced_at": "2026-03-22T09:18:40+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:58+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Mattermost Security Updates JSON",
|
||||
"https://securityupdates.mattermost.com/security_updates.json"
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 765,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Mattermost Security Updates JSON"
|
||||
],
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 761,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-22545",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 3041,
|
||||
"last_version_synced_at": "2026-03-22T09:18:37+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:55+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Mattermost Security Updates JSON"
|
||||
],
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 254,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"MediaWiki Announce RSS"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 168,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/vercel/next.js",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 168,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 11,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 11,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"OpenCart Releases"
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 2,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"OpenCart Releases"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API"
|
||||
],
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"phpMyAdmin Security Page"
|
||||
],
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 9,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"Friends Of Presta Security",
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 9,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub PrestaShop Advisories",
|
||||
"Friends Of Presta Security",
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 102,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2007-5379",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 102,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 12,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2018-6341"
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 6,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/facebook/react",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 18,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Redmine Security Advisories"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Saleor Advisories"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Shopware Security Advisories"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 22,
|
||||
"last_version_synced_at": "2026-03-22T09:18:42+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
|
||||
"latest_version_evidence": [
|
||||
"advisory-fixed-version",
|
||||
"https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 22,
|
||||
"last_version_synced_at": "2026-03-22T09:18:41+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:53:59+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "source-gap",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:42+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 92,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [
|
||||
"advisory-fixed-version",
|
||||
"https://nvd.nist.gov/vuln/detail/CVE-2026-22732"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 92,
|
||||
"last_version_synced_at": "2026-03-22T09:18:42+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:01+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API"
|
||||
],
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 0,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Strapi GitHub Advisories"
|
||||
],
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [
|
||||
"npm latest",
|
||||
"https://github.com/sveltejs/kit/security/advisories/GHSA-88qp-p4qg-rqm6",
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 4,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 220,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [
|
||||
"Packagist p2",
|
||||
"https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68"
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 220,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 7,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"last_version_synced_at": "2026-03-23T09:54:03+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48"
|
||||
|
||||
@@ -30,11 +30,12 @@
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-gv8r-9rw9-9697",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"
|
||||
],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 56,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"security_version_count": 55,
|
||||
"last_version_synced_at": "2026-03-23T09:54:03+00:00",
|
||||
"latest_version_evidence": [
|
||||
"GitHub Releases API",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9",
|
||||
@@ -49,7 +50,8 @@
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-gv8r-9rw9-9697",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-fw45-f5q2-2p4x",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-4hjq-9h5c-252j",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr"
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr",
|
||||
"https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"
|
||||
],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
@@ -63,7 +65,7 @@
|
||||
"workflow_complete_advisory_count": 17,
|
||||
"version_mapped_advisory_count": 17,
|
||||
"first_advisory_at": "2024-07-09T19:34:07+00:00",
|
||||
"latest_advisory_at": "2026-03-20T15:46:26+00:00",
|
||||
"latest_advisory_at": "2026-03-23T04:53:13+00:00",
|
||||
"advisory_ids": [
|
||||
"traefik--CVE-2024-39321",
|
||||
"traefik--CVE-2024-45410",
|
||||
|
||||
@@ -18,8 +18,8 @@
|
||||
"latest_release_url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2",
|
||||
"version_source_refs": [],
|
||||
"version_sync_status": "green",
|
||||
"security_version_count": 63,
|
||||
"last_version_synced_at": "2026-03-22T09:18:44+00:00",
|
||||
"security_version_count": 62,
|
||||
"last_version_synced_at": "2026-03-23T09:54:02+00:00",
|
||||
"latest_version_evidence": [],
|
||||
"catalog_source": "",
|
||||
"catalog_reason": "",
|
||||
@@ -33,7 +33,7 @@
|
||||
"workflow_complete_advisory_count": 45,
|
||||
"version_mapped_advisory_count": 18,
|
||||
"first_advisory_at": "2024-07-09T19:34:07+00:00",
|
||||
"latest_advisory_at": "2026-03-20T15:46:41+00:00",
|
||||
"latest_advisory_at": "2026-03-23T04:53:13+00:00",
|
||||
"advisory_ids": [
|
||||
"traefik--05879db0a0",
|
||||
"traefik--073109115e",
|
||||
|
||||
某些文件未显示,因为此 diff 中更改的文件太多 显示更多
在新工单中引用
屏蔽一个用户