Publish Advisories

GHSA-8g8j-r87h-p36x
GHSA-xjhr-fm27-4hmx

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-8g8j-r87h-p36x/GHSA-8g8j-r87h-p36x.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8g8j-r87h-p36x",
+  "modified": "2026-02-26T22:50:37Z",
+  "published": "2026-02-26T22:50:37Z",
+  "aliases": [
+    "CVE-2026-27965"
+  ],
+  "summary": "Vitess users with backup storage access can gain unauthorized access to production deployment environments",
+  "details": "### Impact\n\nAny user with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there.\n\n### Patches\nFixes are expected to be released with versions v23.0.3 and v22.0.4\nSee fix commit at https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c\n\n### Workarounds\n\nIf maintainers *intended* to use an external decompressor then they can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file.\n\nIf maintainers did *not intend* to use an external decompressor, nor an internal one, then they can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used. \n\n### References\n\nUsers can read more about the issue here: https://github.com/vitessio/vitess/issues/19459",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "vitess.io/vitess"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.23.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27965"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/issues/19459"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/pull/19460"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vitessio/vitess"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T22:50:37Z",
+    "nvd_published_at": "2026-02-26T02:16:23Z"
+  }
+}

…-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.json …-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.jsonadvisories/unreviewed/2026/02/GHSA-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.json renamed to advisories/github-reviewed/2026/02/GHSA-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.json advisories/unreviewed/2026/02/GHSA-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.json renamed to advisories/github-reviewed/2026/02/GHSA-xjhr-fm27-4hmx/GHSA-xjhr-fm27-4hmx.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xjhr-fm27-4hmx",
-  "modified": "2026-02-26T21:31:30Z",
+  "modified": "2026-02-26T22:50:20Z",
   "published": "2026-02-25T18:31:38Z",
   "aliases": [
     "CVE-2026-26717"
   ],
-  "details": "An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies",
+  "summary": "OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function",
+  "details": "An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "richie"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.3.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/Rickidevs/CVE-2026-26717"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openfun/richie"
+    },
     {
       "type": "WEB",
       "url": "https://medium.com/@ordogh/cve-2026-26717-hmac-timing-attack-in-openfun-richie-lms-f04377efe83d?postPublishedType=repub"
@@ -37,8 +62,8 @@
       "CWE-208"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T22:50:20Z",
     "nvd_published_at": "2026-02-25T17:25:39Z"
   }
 }