From 99c93f20ceb1520843ec8481dda807ed1cbb4cc1 Mon Sep 17 00:00:00 2001 From: Freya Gustavsson Date: Wed, 8 Apr 2026 15:58:22 +0200 Subject: [PATCH 1/2] Improve GHSA-rq49-h582-83m7 --- .../GHSA-rq49-h582-83m7.json | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json b/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json index e49926b785077..c0925a592758e 100644 --- a/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json +++ b/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-rq49-h582-83m7", - "modified": "2026-04-07T18:31:38Z", + "modified": "2026-04-07T18:31:45Z", "published": "2026-04-07T18:31:38Z", "aliases": [ "CVE-2026-4631" ], + "summary": "Unauthenticated remote code execution due to SSH command-line argument injection ", "details": "Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.", "severity": [ { @@ -13,7 +14,27 @@ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "GitHub Actions", + "name": "cockpit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 359" + } + } + ], "references": [ { "type": "ADVISORY", @@ -26,6 +47,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450246" + }, + { + "type": "PACKAGE", + "url": "https://github.com/cockpit-project/cockpit" } ], "database_specific": { From 1e3f7ef9e3adacc6e3c0e6608ee17e4f442a891c Mon Sep 17 00:00:00 2001 From: Freya Gustavsson Date: Wed, 8 Apr 2026 16:18:36 +0200 Subject: [PATCH 2/2] Improve GHSA-rq49-h582-83m7 --- .../2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json b/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json index c0925a592758e..cc7682cc7e9c1 100644 --- a/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json +++ b/advisories/unreviewed/2026/04/GHSA-rq49-h582-83m7/GHSA-rq49-h582-83m7.json @@ -6,7 +6,7 @@ "aliases": [ "CVE-2026-4631" ], - "summary": "Unauthenticated remote code execution due to SSH command-line argument injection ", + "summary": "Unauthenticated remote code execution due to SSH command-line argument injection", "details": "Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.", "severity": [ { @@ -25,13 +25,16 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "326" + }, + { + "fixed": "360" } ] } ], "database_specific": { - "last_known_affected_version_range": "< 359" + "last_known_affected_version_range": "<= 359" } } ],