From 08f701f05276c3f2fd3c5b8d04315e69a2e7cf8b Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Thu, 9 Jul 2026 10:04:59 -0400 Subject: [PATCH] One new avo advisory --- gems/avo/CVE-2026-53769.yml | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 gems/avo/CVE-2026-53769.yml diff --git a/gems/avo/CVE-2026-53769.yml b/gems/avo/CVE-2026-53769.yml new file mode 100644 index 0000000000..08c637f6ce --- /dev/null +++ b/gems/avo/CVE-2026-53769.yml @@ -0,0 +1,43 @@ +--- +gem: avo +cve: 2026-53769 +ghsa: pqpw-cvm4-8mv9 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769 +title: Direct attachment upload endpoint lacks upload authorization + and bypasses field-level upload policy +date: 2026-06-02 +description: | + ## Summary + + Avo's direct attachment upload endpoint lacks server-side upload + authorization and bypasses the documented field-level upload policy + methods such as upload_{FIELD_ID}?. + + An authenticated Avo user who can reach the Avo attachment upload + endpoint can replace or add attachment content, including binary + content, filename, and content-type metadata, on a resolved record + even when both update? and upload_? policies deny the operation. + + This primarily affects multi-role Avo Pro/Advanced-style deployments + where non-administrator or restricted operator users can reach Avo + and per-record or per-field operations are expected to be enforced + by policies. +cvss_v3: 6.5 +unaffected_versions: + - "< 2.28.0" +patched_versions: + - "~> 3.32.0" + - ">= 4.0.0.beta.41" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769 + - https://rubygems.org/gems/avo/versions/4.0.0.beta.41 + - https://rubygems.org/gems/avo/versions/3.32.0 + - https://avohq.io/releases/3.32.0 + - https://github.com/avo-hq/avo/security/advisories/GHSA-pqpw-cvm4-8mv9 +notes: | + - CVE is reserved, but not published. + - date and cvss_v3 and patched_versions from GHSA URL. + - 4.0.0.beta.41 on 6/2/2026 ; 3.32.0 on 6/2/2026 + - Do not see 4.0.0.beta.41 inside GitHub. Nothing before 4.0.6. + - See 4.0.0.beta.41 on Rubygems URL.