Publish Advisories

GHSA-cf3q-vg8w-mw84
GHSA-xh69-987w-hrp8

Author: advisory-database[bot]

advisories/github-reviewed/2024/06/GHSA-cf3q-vg8w-mw84/GHSA-cf3q-vg8w-mw84.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cf3q-vg8w-mw84",
-  "modified": "2024-07-03T19:58:16Z",
+  "modified": "2025-07-15T22:56:41Z",
   "published": "2024-06-24T12:30:38Z",
   "aliases": [
     "CVE-2024-29868"
   ],
   "summary": "Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation",
-  "details": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n",
+  "details": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -55,6 +55,10 @@
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/06/22/1"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2025/07/GHSA-xh69-987w-hrp8/GHSA-xh69-987w-hrp8.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xh69-987w-hrp8",
-  "modified": "2025-07-15T14:37:08Z",
+  "modified": "2025-07-15T22:56:19Z",
   "published": "2025-07-15T14:37:08Z",
   "aliases": [
     "CVE-2025-24294"
   ],
   "summary": "resolv vulnerable to DoS via insufficient DNS domain name length validation",
   "details": "A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.\n\n## Details\nThe vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.\n\nAn attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting\nlength of the name.\n\nThis resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.\n\n## Affected Version\nThe vulnerability affects the resolv gem bundled with the following Ruby series:\n* Ruby 3.2 series: resolv version 0.2.2 and earlier\n* Ruby 3.3 series: resolv version 0.3.0\n* Ruby 3.4 series: resolv version 0.6.1 and earlier\n\n## Credits\nThanks to Manu for discovering this issue.\n\n## History\nOriginally published at 2025-07-08 07:00:00 (UTC)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"
@@ -97,7 +101,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-1284"
+      "CWE-1284",
+      "CWE-400"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,