Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 035dff3a0de5 · 2025-08-29T22:08:06.000Z
GHSA-876g-49r6-33qj GHSA-g5qg-72qw-gw5v GHSA-876g-49r6-33qj
diff --git a/advisories/github-reviewed/2025/08/GHSA-876g-49r6-33qj/GHSA-876g-49r6-33qj.json b/advisories/github-reviewed/2025/08/GHSA-876g-49r6-33qj/GHSA-876g-49r6-33qj.json
@@ -0,0 +1,85 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-876g-49r6-33qj",
+  "modified": "2025-08-29T22:07:28Z",
+  "published": "2025-08-29T21:32:02Z",
+  "aliases": [
+    "CVE-2025-43773"
+  ],
+  "summary": "Liferay Portal allows improper access through the expandoTableLocalService",
+  "details": "Liferay Portal  7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay:com.liferay.portal.workflow.kaleo.runtime.impl"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.93"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43773"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/1cbc4b615c270ce986b7fa1835ed196a11ac3234"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/58849cc83348af289944c874301e16e039ae4270"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/8eacaaa1e3552648a3e4a0975731641087d186af"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/9f56b195aec5c1c904242206d61f3fe412701941"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/f33cda648a9082567d7de06c27ba9d3583ee8ff5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-18262"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43773"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-29T22:07:28Z",
+    "nvd_published_at": "2025-08-29T19:15:37Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/08/GHSA-g5qg-72qw-gw5v/GHSA-g5qg-72qw-gw5v.json b/advisories/github-reviewed/2025/08/GHSA-g5qg-72qw-gw5v/GHSA-g5qg-72qw-gw5v.json
@@ -0,0 +1,91 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g5qg-72qw-gw5v",
+  "modified": "2025-08-29T22:06:22Z",
+  "published": "2025-08-29T22:06:22Z",
+  "aliases": [
+    "CVE-2025-57752"
+  ],
+  "summary": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
+  "details": "A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.\n\nAll users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "14.2.31"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.0.0"
+            },
+            {
+              "fixed": "15.4.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 15.4.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/pull/82114"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vercel/next.js"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vercel.com/changelog/cve-2025-57752"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-524"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-29T22:06:22Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2025/08/GHSA-876g-49r6-33qj/GHSA-876g-49r6-33qj.json b/advisories/unreviewed/2025/08/GHSA-876g-49r6-33qj/GHSA-876g-49r6-33qj.json
