Skip to content

Commit b99cc48

Browse files
1 parent 7854673 commit b99cc48

1 file changed

Lines changed: 116 additions & 0 deletions

File tree

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-x6p3-76f2-xxvh",
4+
"modified": "2026-05-28T20:02:14Z",
5+
"published": "2026-05-28T20:02:14Z",
6+
"aliases": [
7+
"CVE-2026-47144"
8+
],
9+
"summary": "Shamefile has an arbitrary file read via shamefile.yaml in shame next",
10+
"details": "### Impact\n\nA path traversal vulnerability in `shame next` allows an attacker-controlled `shamefile.yaml` to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.\n\n### Patches\n\nFixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.\n\n### Workarounds\n\nDo not run `shame next` against untrusted `shamefile.yaml`. Use `shame me --dry-run` for CI validation.\n\n### Resources\n\n- Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557\n- Pull request: https://github.com/BKDDFS/shamefile/pull/80\n- Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7\n- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "shamefile"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.1.7"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.1.6"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "npm",
43+
"name": "shamefile"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "0.1.7"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 0.1.6"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "crates.io",
65+
"name": "shamefile"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "0"
73+
},
74+
{
75+
"fixed": "0.1.7"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 0.1.6"
82+
}
83+
}
84+
],
85+
"references": [
86+
{
87+
"type": "WEB",
88+
"url": "https://github.com/BKDDFS/shamefile/security/advisories/GHSA-x6p3-76f2-xxvh"
89+
},
90+
{
91+
"type": "WEB",
92+
"url": "https://github.com/BKDDFS/shamefile/pull/80"
93+
},
94+
{
95+
"type": "WEB",
96+
"url": "https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557"
97+
},
98+
{
99+
"type": "PACKAGE",
100+
"url": "https://github.com/BKDDFS/shamefile"
101+
},
102+
{
103+
"type": "WEB",
104+
"url": "https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7"
105+
}
106+
],
107+
"database_specific": {
108+
"cwe_ids": [
109+
"CWE-22"
110+
],
111+
"severity": "MODERATE",
112+
"github_reviewed": true,
113+
"github_reviewed_at": "2026-05-28T20:02:14Z",
114+
"nvd_published_at": null
115+
}
116+
}

0 commit comments

Comments
 (0)