From 0cfc489b5de3b1fa1e23efc882381f07685112d8 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 21 Jan 2026 09:42:25 -0500 Subject: [PATCH] 2 brand new advisories --- gems/alchemy_cms/CVE-2026-23885.yml | 45 +++++++++++++++++++++++++++++ rubies/mruby/CVE-2021-46020.yml | 34 ++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 gems/alchemy_cms/CVE-2026-23885.yml create mode 100644 rubies/mruby/CVE-2021-46020.yml diff --git a/gems/alchemy_cms/CVE-2026-23885.yml b/gems/alchemy_cms/CVE-2026-23885.yml new file mode 100644 index 0000000000..086b606c8b --- /dev/null +++ b/gems/alchemy_cms/CVE-2026-23885.yml @@ -0,0 +1,45 @@ +--- +gem: alchemy_cms +cve: 2026-23885 +ghsa: 2762-657x-v979 +url: https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 +title: AlchemyCMS - Authenticated Remote Code Execution (RCE) via + eval injection in ResourcesHelper +date: 2026-01-21 +description: | + ### Summary + + A vulnerability was discovered during a manual security audit + of the AlchemyCMS source code. The application uses the Ruby + `eval()` function to dynamically execute a string provided by the + `resource_handler.engine_name` attribute in + `Alchemy::ResourcesHelper#resource_url_proxy`. + + ### Details + + The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` + at line 28. The code explicitly bypasses security linting with + `# rubocop:disable Security/Eval`, indicating that the use of a + dangerous function was known but not properly mitigated. + + Since `engine_name` is sourced from module definitions that can be + influenced by administrative configurations, it allows an authenticated + attacker to escape the Ruby sandbox and execute arbitrary system + commands on the host OS. + + But, for this attack to be possible local file access to the alchemy + project or the source on a remote server is necessary in order to + manipulate the module config file, though. +cvss_v3: 6.6 +patched_versions: + - "~> 7.4.12" + - ">= 8.0.3" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-23885 + - https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 + - https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 + - https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 + - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 + - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 + - https://github.com/advisories/GHSA-2762-657x-v979 diff --git a/rubies/mruby/CVE-2021-46020.yml b/rubies/mruby/CVE-2021-46020.yml new file mode 100644 index 0000000000..80520c992d --- /dev/null +++ b/rubies/mruby/CVE-2021-46020.yml @@ -0,0 +1,34 @@ +--- +engine: mruby +cve: 2021-46020 +ghsa: f639-3h6h-vr46 +url: https://github.com/advisories/GHSA-f639-3h6h-vr46 +title: An untrusted pointer dereference in mrb_vm_exec() of mruby 3.0.0 +date: 2022-01-14 +description: | + An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 + can lead to a segmentation fault or application crash. + + ## PATCH INFO + + - Mruby #5613 described the issue and Matz cited #5619 and #5620 + as "been addressed" on 2/16/2022. + - Found the #5619 commit on 12/31/2021 in 3.1.0-rc release. + - Found the #5620 commit on 1/02/2022 in 3.1.0-rc release. + - 3.1.0-rc was released on 1/17/2022. +cvss_v2: 5.0 +cvss_v3: 7.3 +patched_versions: + - ">= 3.1.0-rc" +related: + url: + - https://github.com/advisories/GHSA-f639-3h6h-vr46 + - https://nvd.nist.gov/vuln/detail/CVE-2021-46020 + - https://mruby.org/releases/2022/03/12/mruby-3.1.0-released.html + - https://github.com/mruby/mruby/blob/master/doc/mruby3.1.md + - https://github.com/mruby/mruby/issues/5613 + - https://github.com/mruby/mruby/pull/5619 + - https://github.com/mruby/mruby/pull/5619/commits/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb + - https://github.com/mruby/mruby/pull/5620 + - https://github.com/mruby/mruby/pull/5620/commits/d3b7601af96c9e0eeba4c89359289661c755a74a + - https://github.com/mruby/mruby/commit/7f40b645d2773c8f50c48ae4adf90488e164da55