Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions data/appsmith/BIT-appsmith-2026-49979.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"schema_version": "1.6.2",
"id": "BIT-appsmith-2026-49979",
"summary": "Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter",
"details": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.",
"aliases": [
"CVE-2026-49979"
],
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "appsmith",
"purl": "pkg:bitnami/appsmith"
},
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.99.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49979"
}
],
"published": "2026-06-30T17:38:35.185Z",
"modified": "2026-06-30T18:03:49.219Z"
}
67 changes: 67 additions & 0 deletions data/envoy/BIT-envoy-2026-47205.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{
"schema_version": "1.6.2",
"id": "BIT-envoy-2026-47205",
"summary": "Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides",
"details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.",
"aliases": [
"CVE-2026-47205"
],
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "envoy",
"purl": "pkg:bitnami/envoy"
},
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.9"
},
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.5"
},
{
"introduced": "1.38.0"
},
{
"fixed": "1.38.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47205"
}
],
"published": "2026-06-30T17:41:19.987Z",
"modified": "2026-06-30T18:03:49.219Z"
}
61 changes: 61 additions & 0 deletions data/envoy/BIT-envoy-2026-47220.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{
"schema_version": "1.6.2",
"id": "BIT-envoy-2026-47220",
"summary": "Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format",
"details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.",
"aliases": [
"CVE-2026-47220"
],
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "envoy",
"purl": "pkg:bitnami/envoy"
},
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.5"
},
{
"introduced": "1.38.0"
},
{
"fixed": "1.38.3"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47220"
}
],
"published": "2026-06-30T17:41:22.374Z",
"modified": "2026-06-30T18:03:49.219Z"
}
73 changes: 73 additions & 0 deletions data/envoy/BIT-envoy-2026-47775.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"schema_version": "1.6.2",
"id": "BIT-envoy-2026-47775",
"summary": "Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption",
"details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.",
"aliases": [
"CVE-2026-47775"
],
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "envoy",
"purl": "pkg:bitnami/envoy"
},
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.35.0"
},
{
"fixed": "1.35.11"
},
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.7"
},
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.3"
},
{
"introduced": "1.38.0"
},
{
"fixed": "1.38.1"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47775"
}
],
"published": "2026-06-30T17:41:26.992Z",
"modified": "2026-06-30T18:03:49.219Z"
}
73 changes: 73 additions & 0 deletions data/envoy/BIT-envoy-2026-47778.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"schema_version": "1.6.2",
"id": "BIT-envoy-2026-47778",
"summary": "Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)",
"details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.",
"aliases": [
"CVE-2026-47778"
],
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "envoy",
"purl": "pkg:bitnami/envoy"
},
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.35.13"
},
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.9"
},
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.5"
},
{
"introduced": "1.38.0"
},
{
"fixed": "1.38.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47778"
}
],
"published": "2026-06-30T17:41:28.121Z",
"modified": "2026-06-30T18:03:49.219Z"
}
Loading
Loading