From 7c9e1f48dfe9ef67ff57cc5a372a22182f6032b7 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 00:16:03 +0100 Subject: [PATCH 01/15] Add GHSA reference type support for GitHub Security Advisories --- .../Module-Reference-Identifiers.md | 1 + lib/msf/core/module/reference.rb | 4 ++++ tools/dev/msftidy.rb | 7 +++++++ tools/modules/module_missing_reference.rb | 1 + tools/modules/module_reference.rb | 1 + 5 files changed, 14 insertions(+) diff --git a/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md b/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md index 238404a79a5bc..e89e85121db9b 100644 --- a/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md +++ b/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md @@ -18,6 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']``` ZDI | zerodayinitiative.com | ```['ZDI', '10-123']``` WPVDB | wpvulndb.com | ```['WPVDB', '7615']``` PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']``` +GHSA | github.com/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` URL | anything | ```['URL', 'http://example.com/blog.php?id=123']``` AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~ diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index ff894bc95d29e..a3029dbb1f430 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -114,6 +114,10 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '') self.site = "https://wpscan.com/vulnerability/#{in_ctx_val}" elsif in_ctx_id == 'PACKETSTORM' self.site = "https://packetstormsecurity.com/files/#{in_ctx_val}" + elsif in_ctx_id == 'GHSA' + # Handle both formats: with or without GHSA- prefix + ghsa_id = in_ctx_val.start_with?('GHSA-') ? in_ctx_val : "GHSA-#{in_ctx_val}" + self.site = "https://github.com/advisories/#{ghsa_id}" elsif in_ctx_id == 'URL' self.site = in_ctx_val.to_s elsif in_ctx_id == 'LOGO' diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index fca228e8c8421..d58cc3d8f3b61 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -270,6 +270,11 @@ def check_ref_identifiers warn("Invalid WPVDB reference") if value !~ /^\d+$/ and value !~ /^[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}?$/ when 'PACKETSTORM' warn("Invalid PACKETSTORM reference") if value !~ /^\d+$/ + when 'GHSA' + # Allow both formats: with or without GHSA- prefix + # Format: GHSA-xxxx-xxxx-xxxx or xxxx-xxxx-xxxx (where xxxx is 4 alphanumeric chars) + ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i + warn("Invalid GHSA reference") if value !~ ghsa_pattern when 'URL' if value =~ /^https?:\/\/cvedetails\.com\/cve/ warn("Please use 'CVE' for '#{value}'") @@ -289,6 +294,8 @@ def check_ref_identifiers warn("Please use 'WPVDB' for '#{value}'") elsif value =~ /^https?:\/\/(?:[^\.]+\.)?packetstormsecurity\.(?:com|net|org)\// warn("Please use 'PACKETSTORM' for '#{value}'") + elsif value =~ /^https?:\/\/github\.com\/(?:advisories|[\w\-]+\/[\w\-]+\/security\/advisories)\/GHSA-/ + warn("Please use 'GHSA' for '#{value}'") end when 'AKA' warn("Please include AKA values in the 'notes' section, rather than in 'references'.") diff --git a/tools/modules/module_missing_reference.rb b/tools/modules/module_missing_reference.rb index 5e03e03a01056..41befa0dd8c2c 100644 --- a/tools/modules/module_missing_reference.rb +++ b/tools/modules/module_missing_reference.rb @@ -24,6 +24,7 @@ def types 'ZDI', 'WPVDB', 'PACKETSTORM', + 'GHSA', 'URL' ] end diff --git a/tools/modules/module_reference.rb b/tools/modules/module_reference.rb index 5f4a39d73f330..f4068e017ed8b 100755 --- a/tools/modules/module_reference.rb +++ b/tools/modules/module_reference.rb @@ -34,6 +34,7 @@ def types 'ZDI' => 'http://www.zerodayinitiative.com/advisories/ZDI-#{in_ctx_val}', 'WPVDB' => 'https://wpscan.com/vulnerability/#{in_ctx_val}', 'PACKETSTORM' => 'https://packetstormsecurity.com/files/#{in_ctx_val}', + 'GHSA' => 'https://github.com/advisories/#{in_ctx_val}', 'URL' => '#{in_ctx_val}' } end From 753468a13a60a60b11900d4dfa7f33b09f51a0c3 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 00:42:58 +0100 Subject: [PATCH 02/15] Add GHSA reference support and convert 49 hardcoded GHSA URLs to structured format --- modules/auxiliary/admin/http/pihole_domains_api_exec.rb | 2 +- modules/auxiliary/gather/jetty_web_inf_disclosure.rb | 4 ++-- modules/auxiliary/gather/listmonk_env_disclosure.rb | 2 +- .../auxiliary/gather/minio_bootstrap_verify_info_disc.rb | 2 +- .../gather/mongodb_ops_manager_diagnostic_archive_info.rb | 2 +- modules/auxiliary/gather/onedev_arbitrary_file_read.rb | 2 +- .../gather/rancher_authenticated_api_cred_exposure.rb | 2 +- .../auxiliary/scanner/http/grafana_plugin_traversal.rb | 2 +- .../icinga_static_library_file_directory_traversal.rb | 2 +- .../scanner/misc/cups_browsed_info_disclosure.rb | 2 +- modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb | 2 +- .../http/bentoml_runner_server_rce_cve_2025_32375.rb | 2 +- .../linux/http/cacti_unauthenticated_cmd_injection.rb | 2 +- .../linux/http/craftcms_unauth_rce_cve_2023_41892.rb | 2 +- .../http/librenms_authenticated_rce_cve_2024_51092.rb | 2 +- .../linux/http/lucee_admin_imgprocess_file_write.rb | 2 +- modules/exploits/linux/http/opentsdb_key_cmd_injection.rb | 2 +- .../linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb | 2 +- .../exploits/linux/http/pyload_js2py_cve_2024_39205.rb | 2 +- .../http/raspberrymatic_unauth_rce_cve_2024_24578.rb | 2 +- modules/exploits/linux/http/roxy_wi_exec.rb | 2 +- .../exploits/linux/http/sourcegraph_gitserver_sshcmd.rb | 2 +- modules/exploits/linux/http/traccar_rce_upload.rb | 4 ++-- .../exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb | 2 +- modules/exploits/linux/local/ndsudo_cve_2024_32019.rb | 2 +- .../exploits/linux/local/pihole_remove_commands_lpe.rb | 2 +- modules/exploits/linux/local/runc_cwd_priv_esc.rb | 2 +- .../linux/misc/asterisk_ami_originate_auth_rce.rb | 2 +- modules/exploits/multi/http/cacti_package_import_rce.rb | 2 +- modules/exploits/multi/http/cacti_pollers_sqli_rce.rb | 4 ++-- .../multi/http/geoserver_unauth_rce_cve_2024_36401.rb | 2 +- modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb | 2 +- .../multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb | 2 +- .../exploits/multi/http/subrion_cms_file_upload_rce.rb | 2 +- modules/exploits/multi/http/torchserver_cve_2023_43654.rb | 4 ++-- .../multi/http/xwiki_unauth_rce_cve_2025_24893.rb | 2 +- .../exploits/multi/misc/cups_ipp_remote_code_execution.rb | 8 ++++---- .../exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb | 2 +- modules/exploits/unix/http/raspap_rce.rb | 2 +- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- modules/exploits/unix/webapp/zoneminder_snapshots.rb | 2 +- modules/post/linux/gather/rancher_audit_log_leak.rb | 2 +- 42 files changed, 49 insertions(+), 49 deletions(-) diff --git a/modules/auxiliary/admin/http/pihole_domains_api_exec.rb b/modules/auxiliary/admin/http/pihole_domains_api_exec.rb index ba310788685e4..ce2f2c103f003 100644 --- a/modules/auxiliary/admin/http/pihole_domains_api_exec.rb +++ b/modules/auxiliary/admin/http/pihole_domains_api_exec.rb @@ -26,7 +26,7 @@ def initialize(info = {}) 'SchneiderSec' # original PoC, discovery ], 'References' => [ - ['URL', 'https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259'], + ['GHSA', '5cm9-6p3m-v259'], ['CVE', '2021-32706'] ], 'Targets' => [ diff --git a/modules/auxiliary/gather/jetty_web_inf_disclosure.rb b/modules/auxiliary/gather/jetty_web_inf_disclosure.rb index 41e1a5c1d2645..36ee20fc42bb5 100644 --- a/modules/auxiliary/gather/jetty_web_inf_disclosure.rb +++ b/modules/auxiliary/gather/jetty_web_inf_disclosure.rb @@ -31,8 +31,8 @@ def initialize(info = {}) [ 'EDB', '50438' ], [ 'EDB', '50478' ], [ 'URL', 'https://github.com/ColdFusionX/CVE-2021-34429' ], - [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm' ], # CVE-2021-34429 - [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5' ], # CVE-2021-28164 + [ 'GHSA', 'vjv5-gp2w-65vm' ], # CVE-2021-34429 + [ 'GHSA', 'v7ff-8wcx-gmc5' ], # CVE-2021-28164 [ 'CVE', '2021-34429' ], [ 'CVE', '2021-28164' ] ], diff --git a/modules/auxiliary/gather/listmonk_env_disclosure.rb b/modules/auxiliary/gather/listmonk_env_disclosure.rb index 12042c5ad73a6..c51e8338d6507 100644 --- a/modules/auxiliary/gather/listmonk_env_disclosure.rb +++ b/modules/auxiliary/gather/listmonk_env_disclosure.rb @@ -21,7 +21,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-49136'], - ['URL', 'https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h'] + ['GHSA', 'jc7g-x28f-3v3h'] ], 'DisclosureDate' => '2025-06-08', 'Notes' => { diff --git a/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb b/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb index b091612efbfd7..fb837aab54c8d 100644 --- a/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb +++ b/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb @@ -24,7 +24,7 @@ def initialize(info = {}) 'RicterZ' # original PoC, analysis ], 'References' => [ - [ 'URL', 'https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q'], + [ 'GHSA', '6xvq-wj2x-3h3q' ], [ 'CVE', '2023-28432'] ], 'Targets' => [ diff --git a/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb b/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb index a3ec7a5a339bf..3121488f3d8d9 100644 --- a/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb +++ b/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb @@ -33,7 +33,7 @@ def initialize(info = {}) 'h00die', # msf module ], 'References' => [ - [ 'URL', 'https://github.com/advisories/GHSA-xqvf-v5jg-pxc2'], + [ 'GHSA', 'xqvf-v5jg-pxc2' ], [ 'URL', 'https://www.mongodb.com/docs/ops-manager/current/reference/configuration/#mongodb-setting-mms.https.PEMKeyFilePassword'], [ 'CVE', '2023-0342'] ], diff --git a/modules/auxiliary/gather/onedev_arbitrary_file_read.rb b/modules/auxiliary/gather/onedev_arbitrary_file_read.rb index 221efe4f7d3a6..eefe22cf42489 100644 --- a/modules/auxiliary/gather/onedev_arbitrary_file_read.rb +++ b/modules/auxiliary/gather/onedev_arbitrary_file_read.rb @@ -27,7 +27,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-45309'], - ['URL', 'https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489'] + ['GHSA', '7wg5-6864-v489'] ], 'DisclosureDate' => '2024-10-19', 'Notes' => { diff --git a/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb b/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb index 79f11dfb4e799..e8585223c02e1 100644 --- a/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb +++ b/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb @@ -27,7 +27,7 @@ def initialize(info = {}) 'Marco Stuurman' # discovery ], 'References' => [ - [ 'URL', 'https://github.com/advisories/GHSA-g7j7-h4q8-8w2f'], + [ 'GHSA', 'g7j7-h4q8-8w2f' ], [ 'URL', 'https://github.com/fe-ax/tf-cve-2021-36782'], [ 'URL', 'https://fe.ax/cve-2021-36782/'], [ 'CVE', '2021-36782'] diff --git a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb index b3a444fd9d9aa..2be44f9cf873c 100644 --- a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb +++ b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'DisclosureDate' => '2021-12-02', 'References' => [ ['CVE', '2021-43798'], - ['URL', 'https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p'], + ['GHSA', '8pjx-jj86-j47p'], ['URL', 'https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/'], ['EDB', '50581'], ['URL', 'https://github.com/jas502n/Grafana-CVE-2021-43798'], diff --git a/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb b/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb index ae5e0a32b5405..ae2bac0cd38fc 100644 --- a/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb +++ b/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb @@ -38,7 +38,7 @@ def initialize(info = {}) 'References' => [ ['EDB', '51329'], ['URL', 'https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/'], - ['URL', 'https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw'], + ['GHSA', '5p3f-rh28-8frw'], ['URL', 'https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d'], ['CVE', '2022-24716'], ], diff --git a/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb b/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb index f3c65c1643701..61db41bdcdc33 100644 --- a/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb +++ b/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb @@ -21,7 +21,7 @@ def initialize 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-47176'], - ['URL', 'https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8' ], + ['GHSA', 'rj88-6mr5-rcw8'], ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ], ], 'DefaultOptions' => { 'RPORT' => 631 }, diff --git a/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb b/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb index ff6d518b7189c..71e5d2ccf17f6 100644 --- a/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb +++ b/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb @@ -25,7 +25,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-27520'], - ['URL', 'https://github.com/advisories/GHSA-33xw-247w-6hmc'], + ['GHSA', '33xw-247w-6hmc'] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb b/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb index da5604e4577a1..c83c87d998dfc 100644 --- a/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb +++ b/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb @@ -26,7 +26,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-32375'], - ['URL', 'https://github.com/advisories/GHSA-7v4r-c989-xh26'], + ['GHSA', '7v4r-c989-xh26'] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb b/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb index e64388e199d22..b740b2c105def 100644 --- a/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb +++ b/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb @@ -52,7 +52,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2022-46169'], - ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details + ['GHSA', '6p93-p743-35gf'], # disclosure and technical details ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller ], diff --git a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb index f2e47c6d15ef2..b47081c82f396 100644 --- a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb +++ b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb @@ -43,7 +43,7 @@ def initialize(info = {}) [ 'CVE', '2023-41892' ], [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ], [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ], - [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ], + [ 'GHSA', '4w8r-3xrw-v25g' ], [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ], ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb b/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb index 76e8288a5e287..92d28cd265499 100644 --- a/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb +++ b/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb @@ -28,7 +28,7 @@ def initialize(info = {}) 'Takahiro Yokoyama' # Metasploit module ], 'References' => [ - [ 'URL', 'https://github.com/advisories/GHSA-x645-6pf9-xwxw'], + [ 'GHSA', 'x645-6pf9-xwxw' ], [ 'CVE', '2024-51092'] ], 'Platform' => %w[linux], diff --git a/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb b/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb index 7e395fb48730f..2c8d7a6b95138 100644 --- a/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb +++ b/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2021-21307'], ['URL', 'https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643'], - ['URL', 'https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r'], + ['GHSA', '2xvv-723c-8p7r'], ['URL', 'https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md'] ], 'DisclosureDate' => '2021-01-15', # rootxharsh and iamnoooob's writeup diff --git a/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb b/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb index 58b82fa884d05..efbd94092f15e 100644 --- a/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb +++ b/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb @@ -40,7 +40,7 @@ def initialize(info = {}) 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ - ['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory + ['GHSA', '76f7-9v52-v2fw'], # security advisory ['CVE', '2023-36812'], # CVE linked in the official security advisory ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812 ], diff --git a/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb b/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb index 68506d482e091..7810f4af69d83 100644 --- a/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb +++ b/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb @@ -42,7 +42,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2025-4653'], ['URL', 'https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/'], - ['URL', 'https://github.com/h00die-gr3y/h00die-gr3y/security/advisories/GHSA-m4f8-9c8x-8f3f'], + ['GHSA', 'm4f8-9c8x-8f3f'], ['URL', 'https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653'] ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb b/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb index fbc26239bb5e7..4f26ab7c12c07 100644 --- a/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb +++ b/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb @@ -40,7 +40,7 @@ def initialize(info = {}) [ 'CVE', '2024-39205' ], [ 'CVE', '2024-28397' ], [ 'URL', 'https://github.com/Marven11/CVE-2024-39205-Pyload-RCE' ], - [ 'URL', 'https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g' ], + [ 'GHSA', 'w7hq-f2pj-c53g' ], [ 'URL', 'https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape' ], ], 'DisclosureDate' => '2024-10-28', diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb index 7c97ea98db4f0..913a2d8239551 100644 --- a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb +++ b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb @@ -37,7 +37,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2024-24578'], ['URL', 'https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578'], - ['URL', 'https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h'] + ['GHSA', 'q967-q4j8-637h'] ], 'DisclosureDate' => '2024-03-16', 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/http/roxy_wi_exec.rb b/modules/exploits/linux/http/roxy_wi_exec.rb index 481d639cac4ec..43bb2fa474ebb 100644 --- a/modules/exploits/linux/http/roxy_wi_exec.rb +++ b/modules/exploits/linux/http/roxy_wi_exec.rb @@ -28,7 +28,7 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory - ['URL', 'https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532'], # Additional Information + ['GHSA', '53r2-mq99-f532'], # Additional Information ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch ['CVE', '2022-31137'] ], diff --git a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb index 94fa00a1cb48b..0410a4661c52e 100644 --- a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb +++ b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2022-23642'], - ['URL', 'http://web.archive.org/web/20230705082819/https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'], + ['GHSA', 'qcmp-fx72-q8q9'], ['URL', 'https://github.com/Altelus1/CVE-2022-23642'], ], 'DisclosureDate' => '2022-02-18', # Public disclosure diff --git a/modules/exploits/linux/http/traccar_rce_upload.rb b/modules/exploits/linux/http/traccar_rce_upload.rb index d4c4da4e6d4fe..04eeecf3e6fa9 100644 --- a/modules/exploits/linux/http/traccar_rce_upload.rb +++ b/modules/exploits/linux/http/traccar_rce_upload.rb @@ -22,8 +22,8 @@ def initialize(info = {}) 'Naveen Sunkavally' # Discovery CVE-2024-31214 and PoC ], 'References' => [ - [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5'], - [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9'], + [ 'GHSA', 'vhrw-72f6-gwp5' ], + [ 'GHSA', '3gxq-f2qj-c8v9' ], [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/'], [ 'CVE', '2024-31214'], [ 'CVE', '2024-24809'] diff --git a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb index 61854e380a030..443635646ea5a 100644 --- a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb +++ b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb @@ -30,7 +30,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2025-24016'], - ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'], + ['GHSA', 'hcrc-79hj-m3qh', 'wazuh/wazuh'], ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'], ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], diff --git a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb index e84c3847e2fb7..2d84f63de90ae 100644 --- a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb +++ b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ - [ 'URL', 'https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93'], + [ 'GHSA', 'pmhq-4cxq-wj93' ], [ 'CVE', '2024-32019'] ], 'DisclosureDate' => '2024-04-12', diff --git a/modules/exploits/linux/local/pihole_remove_commands_lpe.rb b/modules/exploits/linux/local/pihole_remove_commands_lpe.rb index 5b7713227371f..a178795e47a7a 100644 --- a/modules/exploits/linux/local/pihole_remove_commands_lpe.rb +++ b/modules/exploits/linux/local/pihole_remove_commands_lpe.rb @@ -42,7 +42,7 @@ def initialize(info = {}) }, 'Privileged' => true, 'References' => [ - [ 'URL', 'https://github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj' ], + [ 'GHSA', '3597-244c-wrpj' ], [ 'URL', 'https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt' ], [ 'CVE', '2021-29449' ] ], diff --git a/modules/exploits/linux/local/runc_cwd_priv_esc.rb b/modules/exploits/linux/local/runc_cwd_priv_esc.rb index 2077fc7c2bd40..30e163e83903b 100644 --- a/modules/exploits/linux/local/runc_cwd_priv_esc.rb +++ b/modules/exploits/linux/local/runc_cwd_priv_esc.rb @@ -42,7 +42,7 @@ def initialize(info = {}) 'Privileged' => true, 'References' => [ [ 'URL', 'https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/'], - [ 'URL', 'https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv'], + [ 'GHSA', 'xr7r-f8xq-vfvv' ], [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2024-21626'], [ 'URL', 'http://web.archive.org/web/20241006225740/https://ubuntu.com/security/CVE-2024-21626'], [ 'CVE', '2024-21626'] diff --git a/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb b/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb index 29f4a13ef37c5..8aecbe0907e59 100644 --- a/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb +++ b/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'NielsGaljaard' # discovery ], 'References' => [ - ['URL', 'https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44'], + ['GHSA', 'c4cg-9275-6w44'], ['CVE', '2024-42365'] ], 'Platform' => 'unix', diff --git a/modules/exploits/multi/http/cacti_package_import_rce.rb b/modules/exploits/multi/http/cacti_package_import_rce.rb index 7cd025b7c885e..0475d7d597ff8 100644 --- a/modules/exploits/multi/http/cacti_package_import_rce.rb +++ b/modules/exploits/multi/http/cacti_package_import_rce.rb @@ -36,7 +36,7 @@ def initialize(info = {}) ], 'References' => [ [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'], - [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88'], + [ 'GHSA', '7cmj-g5qc-pj88' ], [ 'CVE', '2024-25641'] ], 'Platform' => ['unix linux win'], diff --git a/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb b/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb index fae3c0001558e..1a8069c229c69 100644 --- a/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb +++ b/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb @@ -38,8 +38,8 @@ def initialize(info = {}) 'Christophe De La Fuente' # Metasploit module ], 'References' => [ - [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi - [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE) + [ 'GHSA', 'vr3c-38wh-g855' ], # SQLi + [ 'GHSA', 'pfh9-gwm6-86vp' ], # LFI (RCE) [ 'CVE', '2023-49085'], # SQLi [ 'CVE', '2023-49084'] # LFI (RCE) ], diff --git a/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb b/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb index dfc2f0561e2b8..4c508240baec2 100644 --- a/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb +++ b/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb @@ -35,7 +35,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2024-36401'], - ['URL', 'https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv'], + ['GHSA', '6jj6-gm7p-fcvv'], ['URL', 'https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401'], ['URL', 'https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401'], ['URL', 'https://github.com/Chocapikk/CVE-2024-36401'] diff --git a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb index a5b721c3c34b4..ed8d3f246845e 100644 --- a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb +++ b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb @@ -38,7 +38,7 @@ def initialize(info = {}) 'Christophe De La Fuente' # MSF module ], 'References' => [ - [ 'URL', 'https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f'], + [ 'GHSA', '876v-gwgh-w57f' ], [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'], [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'], [ 'CVE', '2022-24734'] diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index 131d479c8477f..7f60882f4a249 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -35,7 +35,7 @@ def initialize(info = {}) ['CVE', '2023-32315'], ['URL', 'https://attackerkb.com/topics/7Tf5YGY3oT/cve-2023-32315'], ['URL', 'https://github.com/miko550/CVE-2023-32315'], - ['URL', 'https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm'] + ['GHSA', 'gw42-f939-fhvm'] ], 'License' => MSF_LICENSE, 'Platform' => [ 'java' ], diff --git a/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb b/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb index d8468427fd750..19a4df4f43bc4 100644 --- a/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb +++ b/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb @@ -37,7 +37,7 @@ def initialize(info = {}) [ 'CVE', '2018-19422' ], [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ], [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ], - [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ] + [ 'GHSA', '73xj-v6gc-g5p5' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, diff --git a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb index 1024ae5d64f44..9be3b197e92b4 100644 --- a/modules/exploits/multi/http/torchserver_cve_2023_43654.rb +++ b/modules/exploits/multi/http/torchserver_cve_2023_43654.rb @@ -34,9 +34,9 @@ def initialize(_info = {}) 'References' => [ [ 'URL', 'https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654' ], [ 'CVE', '2023-43654' ], # model registration SSRF - [ 'URL', 'https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w' ], + [ 'GHSA', '8fxr-qfr9-p34w' ], [ 'CVE', '2022-1471' ], # snakeyaml deserialization RCE - [ 'URL', 'https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2' ], + [ 'GHSA', 'mjmj-j48q-9wg2' ], [ 'URL', 'https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in' ], [ 'URL', 'https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858' ] ], diff --git a/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb b/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb index a38cf14201860..568b0727e81f1 100644 --- a/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb +++ b/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb @@ -32,7 +32,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2025-24893'], - ['URL', 'https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j'] + ['GHSA', 'rr6p-3pfg-562j'] ], 'Platform' => ['unix', 'linux', 'win'], 'Arch' => [ARCH_CMD], diff --git a/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb b/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb index 90013c72fa9bf..9b3880f566b84 100644 --- a/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb +++ b/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb @@ -134,13 +134,13 @@ def initialize(info = {}) # The public exploit this module was inspired by ['URL', 'https://github.com/RickdeJager/cupshax'], # The cups-browsed GitHub security advisory - ['URL', 'https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8'], + ['GHSA', 'rj88-6mr5-rcw8'], # The libcupsfilters GitHub security advisory - ['URL', 'https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5'], + ['GHSA', 'w63j-6g73-wmg5'], # The libppd GitHub security advisory - ['URL', 'https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6'], + ['GHSA', '7xfx-47qg-grp6'], # The cups-filters GitHub security advisory - ['URL', 'https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47'], + ['GHSA', 'p9rh-jxmq-gq47'], # The IPP server implementation this module is based on ['URL', 'https://github.com/h2g2bob/ipp-server/'] ], diff --git a/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb b/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb index 1430e31373210..cd8075c7b4133 100644 --- a/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb +++ b/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb @@ -31,7 +31,7 @@ def initialize(info = {}) 'Zemnmez' ], 'References' => [ - ['URL', 'https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m'], + ['GHSA', 'pw56-c55x-cm9m'], ['CVE', '2022-41034'], ['URL', 'https://github.com/andyhsu024/CVE-2022-41034'] ], diff --git a/modules/exploits/unix/http/raspap_rce.rb b/modules/exploits/unix/http/raspap_rce.rb index b7154f9cce3c4..f316d949484c0 100644 --- a/modules/exploits/unix/http/raspap_rce.rb +++ b/modules/exploits/unix/http/raspap_rce.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2022-39986'], ['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'], - ['URL', 'https://github.com/advisories/GHSA-7c28-wg7r-pg6f'] + ['GHSA', '7c28-wg7r-pg6f'] ], 'Platform' => ['unix', 'linux'], 'Privileged' => false, diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index ac96580ed0aa1..0caa74ce8a751 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -30,7 +30,7 @@ def initialize(info = {}) 'whotwagner' # Metasploit Module ], 'References' => [ - ['URL', 'https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj'], + ['GHSA', 'h3c9-cmh8-7qpj'], ['CVE', '2023-26482'] ], 'Platform' => %w[linux unix], diff --git a/modules/exploits/unix/webapp/zoneminder_snapshots.rb b/modules/exploits/unix/webapp/zoneminder_snapshots.rb index e88250e695fab..11c223f286b30 100644 --- a/modules/exploits/unix/webapp/zoneminder_snapshots.rb +++ b/modules/exploits/unix/webapp/zoneminder_snapshots.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ [ 'CVE', '2023-26035' ], - [ 'URL', 'https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr'] + [ 'GHSA', '72rg-h4vf-29gr' ] ], 'Privileged' => false, 'Platform' => ['linux', 'unix'], diff --git a/modules/post/linux/gather/rancher_audit_log_leak.rb b/modules/post/linux/gather/rancher_audit_log_leak.rb index 98151b5c99afb..06b9972f24f62 100644 --- a/modules/post/linux/gather/rancher_audit_log_leak.rb +++ b/modules/post/linux/gather/rancher_audit_log_leak.rb @@ -27,7 +27,7 @@ def initialize(info = {}) 'Platform' => ['linux', 'unix'], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ - [ 'URL', 'https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr'], + [ 'GHSA', 'xfj7-qf8w-2gcr' ], [ 'URL', 'https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options'], [ 'CVE', '2023-22649'] ], From 31c4301886b39ed8c0e652ffd826435ad6443e0d Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:07:38 +0100 Subject: [PATCH 03/15] Add support for 3-parameter GHSA references with optional repo, fix 21 modules with correct repo-specific URLs --- .../Module-Reference-Identifiers.md | 2 +- lib/msf/core/module/module_info.rb | 4 ++-- lib/msf/core/module/reference.rb | 19 +++++++++++++++---- .../admin/http/pihole_domains_api_exec.rb | 2 +- .../minio_bootstrap_verify_info_disc.rb | 2 +- .../gather/onedev_arbitrary_file_read.rb | 2 +- ...static_library_file_directory_traversal.rb | 2 +- .../misc/cups_browsed_info_disclosure.rb | 2 +- .../cacti_unauthenticated_cmd_injection.rb | 2 +- .../http/lucee_admin_imgprocess_file_write.rb | 2 +- .../pandora_itsm_auth_rce_cve_2025_4653.rb | 2 +- ...aspberrymatic_unauth_rce_cve_2024_24578.rb | 2 +- modules/exploits/linux/http/roxy_wi_exec.rb | 2 +- .../exploits/linux/http/traccar_rce_upload.rb | 4 ++-- .../linux/local/ndsudo_cve_2024_32019.rb | 2 +- .../linux/local/pihole_remove_commands_lpe.rb | 2 +- .../misc/asterisk_ami_originate_auth_rce.rb | 2 +- .../multi/http/cacti_package_import_rce.rb | 2 +- .../multi/http/cacti_pollers_sqli_rce.rb | 4 ++-- .../multi/http/mybb_rce_cve_2022_24734.rb | 2 +- .../misc/cups_ipp_remote_code_execution.rb | 8 ++++---- .../misc/vscode_ipynb_remote_dev_exec.rb | 2 +- .../unix/webapp/nextcloud_workflows_rce.rb | 2 +- .../unix/webapp/zoneminder_snapshots.rb | 2 +- tools/dev/msftidy.rb | 4 +++- 25 files changed, 47 insertions(+), 34 deletions(-) diff --git a/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md b/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md index e89e85121db9b..1d00c73e95b54 100644 --- a/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md +++ b/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md @@ -18,7 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']``` ZDI | zerodayinitiative.com | ```['ZDI', '10-123']``` WPVDB | wpvulndb.com | ```['WPVDB', '7615']``` PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']``` -GHSA | github.com/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` +GHSA | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']``` URL | anything | ```['URL', 'http://example.com/blog.php?id=123']``` AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~ diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb index 5000dfa39e397..109a72c11f696 100644 --- a/lib/msf/core/module/module_info.rb +++ b/lib/msf/core/module/module_info.rb @@ -64,11 +64,11 @@ def notes # Register options with a specific owning class. # def info_fixups - # Each reference should be an array consisting of two elements + # Each reference should be an array consisting of two or three elements refs = module_info['References'] if(refs and not refs.empty?) refs.each_index do |i| - if !(refs[i].respond_to?('[]') and refs[i].length == 2) + if !(refs[i].respond_to?('[]') and (refs[i].length == 2 || refs[i].length == 3)) refs[i] = nil end end diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index a3029dbb1f430..f9115c4e085cd 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -77,11 +77,12 @@ def self.from_s(str) # # Initializes a site reference from an array. ary[0] is the site and # ary[1] is the site context identifier, such as CVE. + # ary[2] is optional and can be used for additional context (e.g., repo for GHSA) # def self.from_a(ary) return nil if (ary.length < 2) - self.new(ary[0], ary[1]) + self.new(ary[0], ary[1], ary[2]) end # @@ -90,9 +91,10 @@ def self.from_a(ary) # * tools/module_reference.rb # * https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html # - def initialize(in_ctx_id = 'Unknown', in_ctx_val = '') + def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil) self.ctx_id = in_ctx_id self.ctx_val = in_ctx_val + self.ctx_repo = in_ctx_repo if in_ctx_id == 'CVE' self.site = "https://nvd.nist.gov/vuln/detail/CVE-#{in_ctx_val}" @@ -117,7 +119,12 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '') elsif in_ctx_id == 'GHSA' # Handle both formats: with or without GHSA- prefix ghsa_id = in_ctx_val.start_with?('GHSA-') ? in_ctx_val : "GHSA-#{in_ctx_val}" - self.site = "https://github.com/advisories/#{ghsa_id}" + # Use repo-specific URL if repo is provided, otherwise use global format + if in_ctx_repo && !in_ctx_repo.empty? + self.site = "https://github.com/#{in_ctx_repo}/security/advisories/#{ghsa_id}" + else + self.site = "https://github.com/advisories/#{ghsa_id}" + end elsif in_ctx_id == 'URL' self.site = in_ctx_val.to_s elsif in_ctx_id == 'LOGO' @@ -169,9 +176,13 @@ def from_s(str) # The context value of the reference, such as MS02-039 # attr_reader :ctx_val + # + # The context repository for GHSA references (optional) + # + attr_reader :ctx_repo protected - attr_writer :site, :ctx_id, :ctx_val + attr_writer :site, :ctx_id, :ctx_val, :ctx_repo end diff --git a/modules/auxiliary/admin/http/pihole_domains_api_exec.rb b/modules/auxiliary/admin/http/pihole_domains_api_exec.rb index ce2f2c103f003..7bcdbd10c4913 100644 --- a/modules/auxiliary/admin/http/pihole_domains_api_exec.rb +++ b/modules/auxiliary/admin/http/pihole_domains_api_exec.rb @@ -26,7 +26,7 @@ def initialize(info = {}) 'SchneiderSec' # original PoC, discovery ], 'References' => [ - ['GHSA', '5cm9-6p3m-v259'], + ['GHSA', '5cm9-6p3m-v259', 'pi-hole/AdminLTE'], ['CVE', '2021-32706'] ], 'Targets' => [ diff --git a/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb b/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb index fb837aab54c8d..baddb2a36e3d6 100644 --- a/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb +++ b/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb @@ -24,7 +24,7 @@ def initialize(info = {}) 'RicterZ' # original PoC, analysis ], 'References' => [ - [ 'GHSA', '6xvq-wj2x-3h3q' ], + ['GHSA', '6xvq-wj2x-3h3q', 'minio/minio'], [ 'CVE', '2023-28432'] ], 'Targets' => [ diff --git a/modules/auxiliary/gather/onedev_arbitrary_file_read.rb b/modules/auxiliary/gather/onedev_arbitrary_file_read.rb index eefe22cf42489..dfb632fd94111 100644 --- a/modules/auxiliary/gather/onedev_arbitrary_file_read.rb +++ b/modules/auxiliary/gather/onedev_arbitrary_file_read.rb @@ -27,7 +27,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-45309'], - ['GHSA', '7wg5-6864-v489'] + ['GHSA', '7wg5-6864-v489', 'theonedev/onedev'] ], 'DisclosureDate' => '2024-10-19', 'Notes' => { diff --git a/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb b/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb index ae2bac0cd38fc..f84161ac6bff1 100644 --- a/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb +++ b/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb @@ -38,7 +38,7 @@ def initialize(info = {}) 'References' => [ ['EDB', '51329'], ['URL', 'https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/'], - ['GHSA', '5p3f-rh28-8frw'], + ['GHSA', '5p3f-rh28-8frw', 'Icinga/icingaweb2'], ['URL', 'https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d'], ['CVE', '2022-24716'], ], diff --git a/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb b/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb index 61db41bdcdc33..7c7272ee1e32c 100644 --- a/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb +++ b/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb @@ -21,7 +21,7 @@ def initialize 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-47176'], - ['GHSA', 'rj88-6mr5-rcw8'], + ['GHSA', 'rj88-6mr5-rcw8', 'OpenPrinting/cups-browsed'], ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ], ], 'DefaultOptions' => { 'RPORT' => 631 }, diff --git a/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb b/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb index b740b2c105def..5d8f2b31527da 100644 --- a/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb +++ b/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb @@ -52,7 +52,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2022-46169'], - ['GHSA', '6p93-p743-35gf'], # disclosure and technical details + ['GHSA', '6p93-p743-35gf', 'Cacti/cacti'], # disclosure and technical details ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller ], diff --git a/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb b/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb index 2c8d7a6b95138..79eb3be3834b2 100644 --- a/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb +++ b/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2021-21307'], ['URL', 'https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643'], - ['GHSA', '2xvv-723c-8p7r'], + ['GHSA', '2xvv-723c-8p7r', 'lucee/lucee'], ['URL', 'https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md'] ], 'DisclosureDate' => '2021-01-15', # rootxharsh and iamnoooob's writeup diff --git a/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb b/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb index 7810f4af69d83..ef8a7751931b5 100644 --- a/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb +++ b/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb @@ -42,7 +42,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2025-4653'], ['URL', 'https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/'], - ['GHSA', 'm4f8-9c8x-8f3f'], + ['GHSA', 'm4f8-9c8x-8f3f', 'h00die-gr3y/h00die-gr3y'], ['URL', 'https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653'] ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb index 913a2d8239551..797f1a440a727 100644 --- a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb +++ b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb @@ -37,7 +37,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2024-24578'], ['URL', 'https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578'], - ['GHSA', 'q967-q4j8-637h'] + ['GHSA', 'q967-q4j8-637h', 'jens-maus/RaspberryMatic'] ], 'DisclosureDate' => '2024-03-16', 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/http/roxy_wi_exec.rb b/modules/exploits/linux/http/roxy_wi_exec.rb index 43bb2fa474ebb..020471edfaa45 100644 --- a/modules/exploits/linux/http/roxy_wi_exec.rb +++ b/modules/exploits/linux/http/roxy_wi_exec.rb @@ -28,7 +28,7 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory - ['GHSA', '53r2-mq99-f532'], # Additional Information + ['GHSA', '53r2-mq99-f532', 'roxy-wi/roxy-wi'], # Additional Information ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch ['CVE', '2022-31137'] ], diff --git a/modules/exploits/linux/http/traccar_rce_upload.rb b/modules/exploits/linux/http/traccar_rce_upload.rb index 04eeecf3e6fa9..3ecdb76f14724 100644 --- a/modules/exploits/linux/http/traccar_rce_upload.rb +++ b/modules/exploits/linux/http/traccar_rce_upload.rb @@ -22,8 +22,8 @@ def initialize(info = {}) 'Naveen Sunkavally' # Discovery CVE-2024-31214 and PoC ], 'References' => [ - [ 'GHSA', 'vhrw-72f6-gwp5' ], - [ 'GHSA', '3gxq-f2qj-c8v9' ], + ['GHSA', 'vhrw-72f6-gwp5', 'traccar/traccar'], + ['GHSA', '3gxq-f2qj-c8v9', 'traccar/traccar'], [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/'], [ 'CVE', '2024-31214'], [ 'CVE', '2024-24809'] diff --git a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb index 2d84f63de90ae..4df035547ab3b 100644 --- a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb +++ b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ - [ 'GHSA', 'pmhq-4cxq-wj93' ], + [ 'GHSA', 'pmhq-4cxq-wj93', 'netdata/netdata' ], [ 'CVE', '2024-32019'] ], 'DisclosureDate' => '2024-04-12', diff --git a/modules/exploits/linux/local/pihole_remove_commands_lpe.rb b/modules/exploits/linux/local/pihole_remove_commands_lpe.rb index a178795e47a7a..d64f3b1676f9a 100644 --- a/modules/exploits/linux/local/pihole_remove_commands_lpe.rb +++ b/modules/exploits/linux/local/pihole_remove_commands_lpe.rb @@ -42,7 +42,7 @@ def initialize(info = {}) }, 'Privileged' => true, 'References' => [ - [ 'GHSA', '3597-244c-wrpj' ], + ['GHSA', '3597-244c-wrpj', 'pi-hole/pi-hole'], [ 'URL', 'https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt' ], [ 'CVE', '2021-29449' ] ], diff --git a/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb b/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb index 8aecbe0907e59..9c94cf269ab10 100644 --- a/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb +++ b/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'NielsGaljaard' # discovery ], 'References' => [ - ['GHSA', 'c4cg-9275-6w44'], + ['GHSA', 'c4cg-9275-6w44', 'asterisk/asterisk'], ['CVE', '2024-42365'] ], 'Platform' => 'unix', diff --git a/modules/exploits/multi/http/cacti_package_import_rce.rb b/modules/exploits/multi/http/cacti_package_import_rce.rb index 0475d7d597ff8..7d4525a3e3a17 100644 --- a/modules/exploits/multi/http/cacti_package_import_rce.rb +++ b/modules/exploits/multi/http/cacti_package_import_rce.rb @@ -36,7 +36,7 @@ def initialize(info = {}) ], 'References' => [ [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'], - [ 'GHSA', '7cmj-g5qc-pj88' ], + ['GHSA', '7cmj-g5qc-pj88', 'Cacti/cacti'], [ 'CVE', '2024-25641'] ], 'Platform' => ['unix linux win'], diff --git a/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb b/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb index 1a8069c229c69..2ccdedd13f1e0 100644 --- a/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb +++ b/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb @@ -38,8 +38,8 @@ def initialize(info = {}) 'Christophe De La Fuente' # Metasploit module ], 'References' => [ - [ 'GHSA', 'vr3c-38wh-g855' ], # SQLi - [ 'GHSA', 'pfh9-gwm6-86vp' ], # LFI (RCE) + ['GHSA', 'vr3c-38wh-g855', 'Cacti/cacti'], # SQLi + ['GHSA', 'pfh9-gwm6-86vp', 'Cacti/cacti'], # LFI (RCE) [ 'CVE', '2023-49085'], # SQLi [ 'CVE', '2023-49084'] # LFI (RCE) ], diff --git a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb index ed8d3f246845e..5bdc6c505f29b 100644 --- a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb +++ b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb @@ -38,7 +38,7 @@ def initialize(info = {}) 'Christophe De La Fuente' # MSF module ], 'References' => [ - [ 'GHSA', '876v-gwgh-w57f' ], + ['GHSA', '876v-gwgh-w57f', 'mybb/mybb'], [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'], [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'], [ 'CVE', '2022-24734'] diff --git a/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb b/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb index 9b3880f566b84..16fdd91f2be40 100644 --- a/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb +++ b/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb @@ -134,13 +134,13 @@ def initialize(info = {}) # The public exploit this module was inspired by ['URL', 'https://github.com/RickdeJager/cupshax'], # The cups-browsed GitHub security advisory - ['GHSA', 'rj88-6mr5-rcw8'], + ['GHSA', 'rj88-6mr5-rcw8', 'OpenPrinting/cups-browsed'], # The libcupsfilters GitHub security advisory - ['GHSA', 'w63j-6g73-wmg5'], + ['GHSA', 'w63j-6g73-wmg5', 'OpenPrinting/libcupsfilters'], # The libppd GitHub security advisory - ['GHSA', '7xfx-47qg-grp6'], + ['GHSA', '7xfx-47qg-grp6', 'OpenPrinting/libppd'], # The cups-filters GitHub security advisory - ['GHSA', 'p9rh-jxmq-gq47'], + ['GHSA', 'p9rh-jxmq-gq47', 'OpenPrinting/cups-filters'], # The IPP server implementation this module is based on ['URL', 'https://github.com/h2g2bob/ipp-server/'] ], diff --git a/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb b/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb index cd8075c7b4133..096129393932f 100644 --- a/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb +++ b/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb @@ -31,7 +31,7 @@ def initialize(info = {}) 'Zemnmez' ], 'References' => [ - ['GHSA', 'pw56-c55x-cm9m'], + ['GHSA', 'pw56-c55x-cm9m', 'google/security-research'], ['CVE', '2022-41034'], ['URL', 'https://github.com/andyhsu024/CVE-2022-41034'] ], diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 0caa74ce8a751..eedf461449925 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -30,7 +30,7 @@ def initialize(info = {}) 'whotwagner' # Metasploit Module ], 'References' => [ - ['GHSA', 'h3c9-cmh8-7qpj'], + ['GHSA', 'h3c9-cmh8-7qpj', 'nextcloud/security-advisories'], ['CVE', '2023-26482'] ], 'Platform' => %w[linux unix], diff --git a/modules/exploits/unix/webapp/zoneminder_snapshots.rb b/modules/exploits/unix/webapp/zoneminder_snapshots.rb index 11c223f286b30..e1c0b3b859023 100644 --- a/modules/exploits/unix/webapp/zoneminder_snapshots.rb +++ b/modules/exploits/unix/webapp/zoneminder_snapshots.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ [ 'CVE', '2023-26035' ], - [ 'GHSA', '72rg-h4vf-29gr' ] + ['GHSA', '72rg-h4vf-29gr', 'ZoneMinder/zoneminder'] ], 'Privileged' => false, 'Platform' => ['linux', 'unix'], diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index d58cc3d8f3b61..50c31643b0c4a 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -246,9 +246,10 @@ def check_ref_identifiers in_refs = false elsif in_super and line =~ /["']Notes["'][[:space:]]*=>/ in_notes = true - elsif in_super and in_refs and line =~ /[^#]+\[[[:space:]]*['"](.+)['"][[:space:]]*,[[:space:]]*['"](.+)['"][[:space:]]*\]/ + elsif in_super and in_refs and line =~ /[^#]+\[[[:space:]]*['"](.+)['"][[:space:]]*,[[:space:]]*['"](.+)['"][[:space:]]*(?:,[[:space:]]*['"](.+)['"])?[[:space:]]*\]/ identifier = $1.strip.upcase value = $2.strip + repo = $3.strip if $3 case identifier when 'CVE' @@ -275,6 +276,7 @@ def check_ref_identifiers # Format: GHSA-xxxx-xxxx-xxxx or xxxx-xxxx-xxxx (where xxxx is 4 alphanumeric chars) ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i warn("Invalid GHSA reference") if value !~ ghsa_pattern + # No specific validation for repo format yet, as it's an optional string when 'URL' if value =~ /^https?:\/\/cvedetails\.com\/cve/ warn("Please use 'CVE' for '#{value}'") From fef8148067b35874b6cf2837687497e479a7b07a Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:14:49 +0100 Subject: [PATCH 04/15] Add GHSA to valid reference types in module validator --- spec/module_validation_spec.rb | 6 +++--- spec/support/lib/module_validation.rb | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/module_validation_spec.rb b/spec/module_validation_spec.rb index 75d350d704a54..885e1a520ad42 100644 --- a/spec/module_validation_spec.rb +++ b/spec/module_validation_spec.rb @@ -125,11 +125,11 @@ it 'has errors' do expect(subject.errors.full_messages).to eq [ - "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", - "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", + "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", + "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", "References NOCVE please include NOCVE values in the 'notes' section, rather than in 'references'", "References AKA please include AKA values in the 'notes' section, rather than in 'references'", - "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]" + "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]" ] end end diff --git a/spec/support/lib/module_validation.rb b/spec/support/lib/module_validation.rb index 0e39ee4800867..be092c7b51835 100644 --- a/spec/support/lib/module_validation.rb +++ b/spec/support/lib/module_validation.rb @@ -91,6 +91,7 @@ def initialize(mod) BID MSB EDB + GHSA US-CERT-VU ZDI URL @@ -126,7 +127,7 @@ def validate_filename_is_snake_case end def validate_reference_ctx_id - references_ctx_id_list = references.map(&:ctx_id) + references_ctx_id_list = references.select { |ref| ref.respond_to?(:ctx_id) }.map(&:ctx_id) invalid_references = references_ctx_id_list - VALID_REFERENCE_CTX_ID_VALUES invalid_references.each do |ref| From 8d811b71ad5bcef527573a900b2371238ae652f5 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:23:41 +0100 Subject: [PATCH 05/15] Fix reference handling for nested arrays and add string conversion safety --- lib/msf/core/module/reference.rb | 6 ++++++ modules/exploits/multi/persistence/periodic_script.rb | 8 +++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index f9115c4e085cd..77bc311db60eb 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -81,6 +81,8 @@ def self.from_s(str) # def self.from_a(ary) return nil if (ary.length < 2) + # Reject if first element is an array (nested array structure) + return nil if ary[0].kind_of?(Array) self.new(ary[0], ary[1], ary[2]) end @@ -92,6 +94,10 @@ def self.from_a(ary) # * https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html # def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil) + # Ensure ctx_id and ctx_val are strings, not arrays + in_ctx_id = in_ctx_id.to_s if in_ctx_id.respond_to?(:to_s) + in_ctx_val = in_ctx_val.to_s if in_ctx_val.respond_to?(:to_s) + self.ctx_id = in_ctx_id self.ctx_val = in_ctx_val self.ctx_repo = in_ctx_repo diff --git a/modules/exploits/multi/persistence/periodic_script.rb b/modules/exploits/multi/persistence/periodic_script.rb index 176806d987157..d370a9c2b0469 100644 --- a/modules/exploits/multi/persistence/periodic_script.rb +++ b/modules/exploits/multi/persistence/periodic_script.rb @@ -29,11 +29,9 @@ def initialize(info = {}) 'msutovsky-r7' ], 'References' => [ - [ - ['URL', 'https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf'], - ['URL', 'https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/'], - ['ATT&CK', Mitre::Attack::Technique::T1053_SCHEDULED_TASK_JOB] - ] + ['URL', 'https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf'], + ['URL', 'https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/'], + ['ATT&CK', Mitre::Attack::Technique::T1053_SCHEDULED_TASK_JOB] ], 'DisclosureDate' => '2012-04-01', 'Privileged' => true, From 962aa69b3d062798164838bc0da31e37058992e8 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:25:31 +0100 Subject: [PATCH 06/15] Improve string conversion safety in reference initialization --- lib/msf/core/module/reference.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index 77bc311db60eb..f8cc9bc2d68b6 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -94,9 +94,9 @@ def self.from_a(ary) # * https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html # def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil) - # Ensure ctx_id and ctx_val are strings, not arrays - in_ctx_id = in_ctx_id.to_s if in_ctx_id.respond_to?(:to_s) - in_ctx_val = in_ctx_val.to_s if in_ctx_val.respond_to?(:to_s) + # Ensure ctx_id and ctx_val are strings (handle constants like ATT&CK techniques) + in_ctx_id = in_ctx_id.to_s if in_ctx_id.respond_to?(:to_s) && !in_ctx_id.is_a?(String) + in_ctx_val = in_ctx_val.to_s if in_ctx_val.respond_to?(:to_s) && !in_ctx_val.is_a?(String) self.ctx_id = in_ctx_id self.ctx_val = in_ctx_val From 57f8f6a13ecfd97b6fbb0c91c483f45168aaa166 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:30:09 +0100 Subject: [PATCH 07/15] Update GHSA references to use repository-specific format --- modules/auxiliary/gather/jetty_web_inf_disclosure.rb | 4 ++-- modules/auxiliary/gather/listmonk_env_disclosure.rb | 2 +- modules/auxiliary/scanner/http/grafana_plugin_traversal.rb | 2 +- modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb | 2 +- .../linux/http/bentoml_runner_server_rce_cve_2025_32375.rb | 2 +- modules/exploits/linux/http/opentsdb_key_cmd_injection.rb | 2 +- modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb | 2 +- .../multi/http/geoserver_unauth_rce_cve_2024_36401.rb | 2 +- .../multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb | 2 +- .../exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb | 2 +- modules/exploits/unix/http/raspap_rce.rb | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/gather/jetty_web_inf_disclosure.rb b/modules/auxiliary/gather/jetty_web_inf_disclosure.rb index 36ee20fc42bb5..61636cc37a54a 100644 --- a/modules/auxiliary/gather/jetty_web_inf_disclosure.rb +++ b/modules/auxiliary/gather/jetty_web_inf_disclosure.rb @@ -31,8 +31,8 @@ def initialize(info = {}) [ 'EDB', '50438' ], [ 'EDB', '50478' ], [ 'URL', 'https://github.com/ColdFusionX/CVE-2021-34429' ], - [ 'GHSA', 'vjv5-gp2w-65vm' ], # CVE-2021-34429 - [ 'GHSA', 'v7ff-8wcx-gmc5' ], # CVE-2021-28164 + [ 'GHSA', 'vjv5-gp2w-65vm', 'jetty/jetty.project' ], # CVE-2021-34429 + [ 'GHSA', 'v7ff-8wcx-gmc5', 'jetty/jetty.project' ], # CVE-2021-28164 [ 'CVE', '2021-34429' ], [ 'CVE', '2021-28164' ] ], diff --git a/modules/auxiliary/gather/listmonk_env_disclosure.rb b/modules/auxiliary/gather/listmonk_env_disclosure.rb index c51e8338d6507..379999aa0a582 100644 --- a/modules/auxiliary/gather/listmonk_env_disclosure.rb +++ b/modules/auxiliary/gather/listmonk_env_disclosure.rb @@ -21,7 +21,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-49136'], - ['GHSA', 'jc7g-x28f-3v3h'] + ['GHSA', 'jc7g-x28f-3v3h', 'knadh/listmonk'] ], 'DisclosureDate' => '2025-06-08', 'Notes' => { diff --git a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb index 2be44f9cf873c..fc08d6ab937d2 100644 --- a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb +++ b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'DisclosureDate' => '2021-12-02', 'References' => [ ['CVE', '2021-43798'], - ['GHSA', '8pjx-jj86-j47p'], + ['GHSA', '8pjx-jj86-j47p', 'grafana/grafana'], ['URL', 'https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/'], ['EDB', '50581'], ['URL', 'https://github.com/jas502n/Grafana-CVE-2021-43798'], diff --git a/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb b/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb index 71e5d2ccf17f6..76d648a093ced 100644 --- a/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb +++ b/modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb @@ -25,7 +25,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-27520'], - ['GHSA', '33xw-247w-6hmc'] + ['GHSA', '33xw-247w-6hmc', 'bentoml/BentoML'] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb b/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb index c83c87d998dfc..d04a9b68373d2 100644 --- a/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb +++ b/modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb @@ -26,7 +26,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-32375'], - ['GHSA', '7v4r-c989-xh26'] + ['GHSA', '7v4r-c989-xh26', 'bentoml/BentoML'] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb b/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb index efbd94092f15e..648535fff30d4 100644 --- a/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb +++ b/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb @@ -40,7 +40,7 @@ def initialize(info = {}) 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ - ['GHSA', '76f7-9v52-v2fw'], # security advisory + ['GHSA', '76f7-9v52-v2fw', 'OpenTSDB/opentsdb'], # security advisory ['CVE', '2023-36812'], # CVE linked in the official security advisory ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812 ], diff --git a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb index 0410a4661c52e..f2cb9dd532fb6 100644 --- a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb +++ b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2022-23642'], - ['GHSA', 'qcmp-fx72-q8q9'], + ['GHSA', 'qcmp-fx72-q8q9', 'sourcegraph/sourcegraph'], ['URL', 'https://github.com/Altelus1/CVE-2022-23642'], ], 'DisclosureDate' => '2022-02-18', # Public disclosure diff --git a/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb b/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb index 4c508240baec2..7478977e6c0cb 100644 --- a/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb +++ b/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb @@ -35,7 +35,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2024-36401'], - ['GHSA', '6jj6-gm7p-fcvv'], + ['GHSA', '6jj6-gm7p-fcvv', 'geotools/geotools'], ['URL', 'https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401'], ['URL', 'https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401'], ['URL', 'https://github.com/Chocapikk/CVE-2024-36401'] diff --git a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb index 7f60882f4a249..ff4436f58a825 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb @@ -35,7 +35,7 @@ def initialize(info = {}) ['CVE', '2023-32315'], ['URL', 'https://attackerkb.com/topics/7Tf5YGY3oT/cve-2023-32315'], ['URL', 'https://github.com/miko550/CVE-2023-32315'], - ['GHSA', 'gw42-f939-fhvm'] + ['GHSA', 'gw42-f939-fhvm', 'igniterealtime/Openfire'] ], 'License' => MSF_LICENSE, 'Platform' => [ 'java' ], diff --git a/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb b/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb index 568b0727e81f1..a1cd9f939ebbd 100644 --- a/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb +++ b/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb @@ -32,7 +32,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2025-24893'], - ['GHSA', 'rr6p-3pfg-562j'] + ['GHSA', 'rr6p-3pfg-562j', 'xwiki/xwiki-platform'] ], 'Platform' => ['unix', 'linux', 'win'], 'Arch' => [ARCH_CMD], diff --git a/modules/exploits/unix/http/raspap_rce.rb b/modules/exploits/unix/http/raspap_rce.rb index f316d949484c0..4e7f9f28b6c98 100644 --- a/modules/exploits/unix/http/raspap_rce.rb +++ b/modules/exploits/unix/http/raspap_rce.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2022-39986'], ['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'], - ['GHSA', '7c28-wg7r-pg6f'] + ['GHSA', '7c28-wg7r-pg6f', 'raspap/raspap'] ], 'Platform' => ['unix', 'linux'], 'Privileged' => false, From c04faa78334b6604865330977256e287f44807dc Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:31:49 +0100 Subject: [PATCH 08/15] Update pyload GHSA to repository format and keep web archive URL for sourcegraph --- modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb | 2 +- modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb b/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb index 4f26ab7c12c07..f009f36410114 100644 --- a/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb +++ b/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb @@ -40,7 +40,7 @@ def initialize(info = {}) [ 'CVE', '2024-39205' ], [ 'CVE', '2024-28397' ], [ 'URL', 'https://github.com/Marven11/CVE-2024-39205-Pyload-RCE' ], - [ 'GHSA', 'w7hq-f2pj-c53g' ], + [ 'GHSA', 'w7hq-f2pj-c53g', 'pyload/pyload' ], [ 'URL', 'https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape' ], ], 'DisclosureDate' => '2024-10-28', diff --git a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb index f2cb9dd532fb6..94fa00a1cb48b 100644 --- a/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb +++ b/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2022-23642'], - ['GHSA', 'qcmp-fx72-q8q9', 'sourcegraph/sourcegraph'], + ['URL', 'http://web.archive.org/web/20230705082819/https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'], ['URL', 'https://github.com/Altelus1/CVE-2022-23642'], ], 'DisclosureDate' => '2022-02-18', # Public disclosure From 2200d6b520e3106887abd2821da5fee5f895b152 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 01:32:40 +0100 Subject: [PATCH 09/15] Update runc GHSA to repository-specific format --- modules/exploits/linux/local/runc_cwd_priv_esc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/runc_cwd_priv_esc.rb b/modules/exploits/linux/local/runc_cwd_priv_esc.rb index 30e163e83903b..06e39ce940762 100644 --- a/modules/exploits/linux/local/runc_cwd_priv_esc.rb +++ b/modules/exploits/linux/local/runc_cwd_priv_esc.rb @@ -42,7 +42,7 @@ def initialize(info = {}) 'Privileged' => true, 'References' => [ [ 'URL', 'https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/'], - [ 'GHSA', 'xr7r-f8xq-vfvv' ], + [ 'GHSA', 'xr7r-f8xq-vfvv', 'opencontainers/runc' ], [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2024-21626'], [ 'URL', 'http://web.archive.org/web/20241006225740/https://ubuntu.com/security/CVE-2024-21626'], [ 'CVE', '2024-21626'] From a10cffd99acabe33d6cb02f0534ed4a2cfd20f20 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 03:34:25 +0100 Subject: [PATCH 10/15] Add OSV (Open Source Vulnerabilities) reference type support --- lib/msf/core/module/reference.rb | 2 ++ spec/module_validation_spec.rb | 6 +++--- spec/support/lib/module_validation.rb | 1 + tools/dev/msftidy.rb | 6 ++++++ tools/modules/module_missing_reference.rb | 1 + tools/modules/module_reference.rb | 1 + 6 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index f8cc9bc2d68b6..bc914b98a4617 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -131,6 +131,8 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil) else self.site = "https://github.com/advisories/#{ghsa_id}" end + elsif in_ctx_id == 'OSV' + self.site = "https://osv.dev/vulnerability/#{in_ctx_val}" elsif in_ctx_id == 'URL' self.site = in_ctx_val.to_s elsif in_ctx_id == 'LOGO' diff --git a/spec/module_validation_spec.rb b/spec/module_validation_spec.rb index 885e1a520ad42..04f505615f48f 100644 --- a/spec/module_validation_spec.rb +++ b/spec/module_validation_spec.rb @@ -125,11 +125,11 @@ it 'has errors' do expect(subject.errors.full_messages).to eq [ - "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", - "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", + "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", + "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]", "References NOCVE please include NOCVE values in the 'notes' section, rather than in 'references'", "References AKA please include AKA values in the 'notes' section, rather than in 'references'", - "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]" + "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]" ] end end diff --git a/spec/support/lib/module_validation.rb b/spec/support/lib/module_validation.rb index be092c7b51835..353e76e2680c8 100644 --- a/spec/support/lib/module_validation.rb +++ b/spec/support/lib/module_validation.rb @@ -92,6 +92,7 @@ def initialize(mod) MSB EDB GHSA + OSV US-CERT-VU ZDI URL diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index 50c31643b0c4a..60be7e5b453ff 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -277,6 +277,10 @@ def check_ref_identifiers ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i warn("Invalid GHSA reference") if value !~ ghsa_pattern # No specific validation for repo format yet, as it's an optional string + when 'OSV' + # OSV format: ECOSYSTEM-YEAR-ID (e.g., GO-2021-0113, PYSEC-2024-123) + osv_pattern = /^[A-Z]+-\d{4}-[A-Z0-9-]+$/i + warn("Invalid OSV reference") if value !~ osv_pattern when 'URL' if value =~ /^https?:\/\/cvedetails\.com\/cve/ warn("Please use 'CVE' for '#{value}'") @@ -298,6 +302,8 @@ def check_ref_identifiers warn("Please use 'PACKETSTORM' for '#{value}'") elsif value =~ /^https?:\/\/github\.com\/(?:advisories|[\w\-]+\/[\w\-]+\/security\/advisories)\/GHSA-/ warn("Please use 'GHSA' for '#{value}'") + elsif value =~ /^https?:\/\/osv\.dev\/vulnerability\// + warn("Please use 'OSV' for '#{value}'") end when 'AKA' warn("Please include AKA values in the 'notes' section, rather than in 'references'.") diff --git a/tools/modules/module_missing_reference.rb b/tools/modules/module_missing_reference.rb index 41befa0dd8c2c..22cdc6a16ad44 100644 --- a/tools/modules/module_missing_reference.rb +++ b/tools/modules/module_missing_reference.rb @@ -25,6 +25,7 @@ def types 'WPVDB', 'PACKETSTORM', 'GHSA', + 'OSV', 'URL' ] end diff --git a/tools/modules/module_reference.rb b/tools/modules/module_reference.rb index f4068e017ed8b..61ace7518c285 100755 --- a/tools/modules/module_reference.rb +++ b/tools/modules/module_reference.rb @@ -35,6 +35,7 @@ def types 'WPVDB' => 'https://wpscan.com/vulnerability/#{in_ctx_val}', 'PACKETSTORM' => 'https://packetstormsecurity.com/files/#{in_ctx_val}', 'GHSA' => 'https://github.com/advisories/#{in_ctx_val}', + 'OSV' => 'https://osv.dev/vulnerability/#{in_ctx_val}', 'URL' => '#{in_ctx_val}' } end From 7373d874b5c0de7e2bf355bc59958798ce678010 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 20 Nov 2025 03:35:58 +0100 Subject: [PATCH 11/15] Make OSV validation pattern more flexible to accept all OSV formats --- tools/dev/msftidy.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index 60be7e5b453ff..0f4694e75e5d2 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -278,8 +278,9 @@ def check_ref_identifiers warn("Invalid GHSA reference") if value !~ ghsa_pattern # No specific validation for repo format yet, as it's an optional string when 'OSV' - # OSV format: ECOSYSTEM-YEAR-ID (e.g., GO-2021-0113, PYSEC-2024-123) - osv_pattern = /^[A-Z]+-\d{4}-[A-Z0-9-]+$/i + # OSV format: ECOSYSTEM-YEAR-ID or ECOSYSTEM-xxxx-xxxx-xxxx (e.g., GO-2021-0113, GHSA-8c52-x9w7-vc95, MINI-xwm2-xhhw-2w6h) + # OSV accepts various formats depending on the ecosystem + osv_pattern = /^[A-Z]+-[A-Z0-9-]+$/i warn("Invalid OSV reference") if value !~ osv_pattern when 'URL' if value =~ /^https?:\/\/cvedetails\.com\/cve/ From f67769612a12d2dd246b3938a8b9a13fc4466b71 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 27 Nov 2025 21:03:03 +0100 Subject: [PATCH 12/15] Fix reference validation: allow optional third element for specific reference types (e.g., GHSA) --- lib/msf/core/module/module_info.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb index 109a72c11f696..9c5e88f66b9be 100644 --- a/lib/msf/core/module/module_info.rb +++ b/lib/msf/core/module/module_info.rb @@ -6,6 +6,9 @@ module Msf::Module::ModuleInfo # The list of options that don't support merging in an information hash. UpdateableOptions = [ "Name", "Description", "Alias", "PayloadCompat" , "Stance"] + # Reference types that can have 2 or 3 elements (e.g., GHSA with optional repo) + ReferencesWithOptionalThirdElement = ['GHSA'].freeze + # # Instance Methods # @@ -68,7 +71,18 @@ def info_fixups refs = module_info['References'] if(refs and not refs.empty?) refs.each_index do |i| - if !(refs[i].respond_to?('[]') and (refs[i].length == 2 || refs[i].length == 3)) + if !refs[i].respond_to?('[]') || refs[i].length < 1 + refs[i] = nil + next + end + + # Some reference types can have 2 or 3 elements (e.g., GHSA with optional repo) + # Other references should have 2 elements + ref_type = refs[i][0] + can_have_third_element = ReferencesWithOptionalThirdElement.include?(ref_type) + valid_length = can_have_third_element ? (refs[i].length == 2 || refs[i].length == 3) : (refs[i].length == 2) + + if !valid_length refs[i] = nil end end From 0ee61641f1715b73f007308c4207dcf25b637de9 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 27 Nov 2025 21:11:12 +0100 Subject: [PATCH 13/15] Add freeze to UpdateableOptions constant for consistency and safety --- lib/msf/core/module/module_info.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb index 9c5e88f66b9be..9205819c1dae8 100644 --- a/lib/msf/core/module/module_info.rb +++ b/lib/msf/core/module/module_info.rb @@ -4,7 +4,7 @@ module Msf::Module::ModuleInfo # # The list of options that don't support merging in an information hash. - UpdateableOptions = [ "Name", "Description", "Alias", "PayloadCompat" , "Stance"] + UpdateableOptions = ['Name', 'Description', 'Alias', 'PayloadCompat', 'Stance'].freeze # Reference types that can have 2 or 3 elements (e.g., GHSA with optional repo) ReferencesWithOptionalThirdElement = ['GHSA'].freeze From f9019a764c89a232d1eba2db06dfbda398abfe49 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 27 Nov 2025 21:13:42 +0100 Subject: [PATCH 14/15] Refactor info_fixups to use more idiomatic Ruby (reject! instead of each_index + delete) --- lib/msf/core/module/module_info.rb | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb index 9205819c1dae8..9944ec202baac 100644 --- a/lib/msf/core/module/module_info.rb +++ b/lib/msf/core/module/module_info.rb @@ -69,26 +69,18 @@ def notes def info_fixups # Each reference should be an array consisting of two or three elements refs = module_info['References'] - if(refs and not refs.empty?) - refs.each_index do |i| - if !refs[i].respond_to?('[]') || refs[i].length < 1 - refs[i] = nil - next - end - - # Some reference types can have 2 or 3 elements (e.g., GHSA with optional repo) - # Other references should have 2 elements - ref_type = refs[i][0] - can_have_third_element = ReferencesWithOptionalThirdElement.include?(ref_type) - valid_length = can_have_third_element ? (refs[i].length == 2 || refs[i].length == 3) : (refs[i].length == 2) - - if !valid_length - refs[i] = nil - end - end + return unless refs&.any? + + refs.reject! do |ref| + next true unless ref.respond_to?('[]') && !ref.empty? + + # Some reference types can have 2 or 3 elements (e.g., GHSA with optional repo) + # Other references should have 2 elements + ref_type = ref[0] + can_have_third_element = ReferencesWithOptionalThirdElement.include?(ref_type) + valid_length = can_have_third_element ? (ref.length == 2 || ref.length == 3) : (ref.length == 2) - # Purge invalid references - refs.delete(nil) + !valid_length end end From 652dbe0a5fd74a9c33cbe3bd7907abb2fe1f8d92 Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Thu, 27 Nov 2025 21:25:49 +0100 Subject: [PATCH 15/15] Refactor merge_check_key to use more idiomatic Ruby (is_a? instead of kind_of?, early returns, Array() helper) --- lib/msf/core/module/module_info.rb | 50 ++++++++++-------------------- 1 file changed, 16 insertions(+), 34 deletions(-) diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb index 9944ec202baac..5f5be17dd75e0 100644 --- a/lib/msf/core/module/module_info.rb +++ b/lib/msf/core/module/module_info.rb @@ -88,42 +88,24 @@ def info_fixups # Checks and merges the supplied key/value pair in the supplied hash. # def merge_check_key(info, name, val) - if (self.respond_to?("merge_info_#{name.downcase}", true)) - self.send("merge_info_#{name.downcase}", info, val) - else - # If the info hash already has an entry for this name - if (info[name]) - # If it's not an array, convert it to an array and merge the - # two - if (info[name].kind_of?(Hash)) - raise TypeError, 'can only merge a hash into a hash' unless val.kind_of?(Hash) - val.each_pair do |val_key, val_val| - merge_check_key(info[name], val_key, val_val) - end - - return - elsif (info[name].kind_of?(Array) == false) - curr = info[name] - info[name] = [ curr ] - end + merge_method = "merge_info_#{name.downcase}" + return __send__(merge_method, info, val) if respond_to?(merge_method, true) - # If the value being merged is an array, add each one - if (val.kind_of?(Array) == true) - val.each { |v| - if (info[name].include?(v) == false) - info[name] << v - end - } - # Otherwise just add the value - elsif (info[name].include?(val) == false) - info[name] << val - end - # Otherwise, just set the value equal if no current value - # exists - else - info[name] = val - end + return info[name] = val unless info[name] + + # Handle hash merging recursively + if info[name].is_a?(Hash) + raise TypeError, 'can only merge a hash into a hash' unless val.is_a?(Hash) + val.each_pair { |val_key, val_val| merge_check_key(info[name], val_key, val_val) } + return end + + # Convert to array if needed + info[name] = Array(info[name]) unless info[name].is_a?(Array) + + # Merge values, avoiding duplicates + values_to_add = val.is_a?(Array) ? val : [val] + values_to_add.each { |v| info[name] << v unless info[name].include?(v) } end #