Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d34d3eb68380 · 2026-04-22T19:26:32.000Z
GHSA-j99g-7rqw-q9jg GHSA-pfcq-4gjr-6gjm
diff --git a/advisories/github-reviewed/2026/04/GHSA-j99g-7rqw-q9jg/GHSA-j99g-7rqw-q9jg.json b/advisories/github-reviewed/2026/04/GHSA-j99g-7rqw-q9jg/GHSA-j99g-7rqw-q9jg.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j99g-7rqw-q9jg",
+  "modified": "2026-04-22T19:23:55Z",
+  "published": "2026-04-22T19:23:55Z",
+  "aliases": [
+    "CVE-2026-34066"
+  ],
+  "summary": "nimiq-blockchain: Peer-triggerable panic during history sync",
+  "details": "### Impact\n`HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: &[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic.\n\n`extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50) is included as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).\n\n### Workarounds\nNo known workarounds.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "nimiq-blockchain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/pull/3656"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nimiq/core-rs-albatross"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-617",
+      "CWE-754"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-22T19:23:55Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-pfcq-4gjr-6gjm/GHSA-pfcq-4gjr-6gjm.json b/advisories/github-reviewed/2026/04/GHSA-pfcq-4gjr-6gjm/GHSA-pfcq-4gjr-6gjm.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pfcq-4gjr-6gjm",
+  "modified": "2026-04-22T19:24:53Z",
+  "published": "2026-04-22T19:24:53Z",
+  "aliases": [
+    "CVE-2026-40937"
+  ],
+  "summary": "RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks",
+  "details": "# Missing Admin Auth on Notification Target Endpoints in RustFS\n\n\n### Finding Summary\n\nAll four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization.\n\nA non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.\n\n### What Was Proven Live\n\n1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py)\n   - PUT, GET list, GET arns, DELETE all return 200 for readonly-user\n   - Control routes (list-users, kms/status) correctly return 403\n   - Unauthenticated requests correctly rejected (403 Signature required)\n\n2. **SSRF via health probe** (04_ssrf_listener_landing.py)\n   - HEAD request from rustfs container to attacker-controlled listener\n   - No host validation: only scheme check (http/https)\n\n3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py)\n   - Readonly-user overwrites admin-configured target URL by name\n   - Subsequent S3 events delivered to attacker-controlled endpoint\n   - Captured event body includes object keys, bucket names, user identities, and request metadata\n\n4. **Audit evasion** (05_target_hijacking.py)\n   - Readonly-user can delete unbound targets\n   - Readonly-user can overwrite bound targets (silently redirecting events)\n\n### Escalation Vectors Tested But Not Viable\n\n1. **Self-referencing webhook to admin API** (13_self_referencing_test.py)\n   - Webhook sends unsigned POST with event JSON body\n   - Admin endpoints require SigV4 auth -- unsigned request rejected\n   - \"Confused deputy\" via self-referencing does NOT work\n\n2. **Protocol smuggling via non-HTTP targets**\n   - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this)\n   - No Redis, Kafka, AMQP, or other protocol targets exist\n   - CRLF injection in webhook config fields sanitized by reqwest\n   - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection\n\n3. **MQTT target for RCE**\n   - No unsafe code in MQTT handler\n   - rumqttc 0.29.0 has no known public CVEs\n   - No Command::new, template engines, or deserialization of broker responses\n\n4. **Unauth access**\n   - Endpoints correctly reject unauthenticated requests (403)\n   - Endpoints correctly reject invalid credentials (403)\n\n### Prior Art\n\nNo existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest:\n- CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file\n- CVE-2026-22043 (deny_only short-circuit) -- different bug class\n\n### Recommendation\n\nSubmit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts.\n\n\nKoda Reef\n\n### Patch\nThis issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "rustfs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rustfs/rustfs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-22T19:24:53Z",
+    "nvd_published_at": null
+  }
+}
