Publish GHSA-h5fq-653g-gxrm

advisory-database[bot] · advisory-database[bot] · commit e3d35f0d093c · 2026-05-05T17:22:59.000Z
diff --git a/advisories/github-reviewed/2026/05/GHSA-h5fq-653g-gxrm/GHSA-h5fq-653g-gxrm.json b/advisories/github-reviewed/2026/05/GHSA-h5fq-653g-gxrm/GHSA-h5fq-653g-gxrm.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h5fq-653g-gxrm",
+  "modified": "2026-05-05T17:20:36Z",
+  "published": "2026-05-05T17:20:36Z",
+  "aliases": [],
+  "summary": "ots has a negative expire override that can bypass its secret retention policy",
+  "details": "## Summary\n\nThe `/api/create` endpoint accepted negative `expire` query values. For the memory storage backend, negative values were passed to secret creation as a negative duration and treated as no expiry, allowing callers to create secrets that persisted longer than intended.\n\n## Impact\n\nUnauthenticated users could bypass configured retention expectations for secrets they create by sending `POST /api/create?expire=-1`.\n\nThis does not allow reading or modifying secrets created by other users. Secrets remain one-time-read and, in the normal web flow, client-side encrypted.\n\n## Affected versions\n\nVersions up to and including v1.21.4 are affected.\n\n## Patched versions\n\nFixed in v1.21.5.\n\n## Workarounds\n\nDisable expiry overrides via `disableExpiryOverride: true` until upgrading.\n\n## Credit\n\nReported by Chai Cheng Xun via email.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/Luzifer/ots"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.21.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.21.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Luzifer/ots/security/advisories/GHSA-h5fq-653g-gxrm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Luzifer/ots/commit/3511bd18a2bec75bd9c6b4d513f2a90ccf4209b7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Luzifer/ots"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Luzifer/ots/releases/tag/v1.21.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-05T17:20:36Z",
+    "nvd_published_at": null
+  }
+}
