Add support for 3-parameter GHSA references with optional repo, fix 21 modules with correct repo-specific URLs

Chocapikk · Chocapikk · commit 5bee4a1c8ed9 · 2025-11-20T01:07:50.000+01:00
diff --git a/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md b/docs/metasploit-framework.wiki/Module-Reference-Identifiers.md
@@ -18,7 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']```
 ZDI | zerodayinitiative.com | ```['ZDI', '10-123']```
 WPVDB | wpvulndb.com | ```['WPVDB', '7615']```
 PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']```
-GHSA | github.com/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']```
+GHSA | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']```
 URL | anything | ```['URL', 'http://example.com/blog.php?id=123']```
 AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~
 
diff --git a/lib/msf/core/module/module_info.rb b/lib/msf/core/module/module_info.rb
@@ -64,11 +64,11 @@ def notes
   # Register options with a specific owning class.
   #
   def info_fixups
-    # Each reference should be an array consisting of two elements
+    # Each reference should be an array consisting of two or three elements
     refs = module_info['References']
     if(refs and not refs.empty?)
       refs.each_index do |i|
-        if !(refs[i].respond_to?('[]') and refs[i].length == 2)
+        if !(refs[i].respond_to?('[]') and (refs[i].length == 2 || refs[i].length == 3))
           refs[i] = nil
         end
       end
diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb
@@ -77,11 +77,12 @@ def self.from_s(str)
   #
   # Initializes a site reference from an array.  ary[0] is the site and
   # ary[1] is the site context identifier, such as CVE.
+  # ary[2] is optional and can be used for additional context (e.g., repo for GHSA)
   #
   def self.from_a(ary)
     return nil if (ary.length < 2)
 
-    self.new(ary[0], ary[1])
+    self.new(ary[0], ary[1], ary[2])
   end
 
   #
@@ -90,9 +91,10 @@ def self.from_a(ary)
   # * tools/module_reference.rb
   # * https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html
   #
-  def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
+  def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil)
     self.ctx_id  = in_ctx_id
     self.ctx_val = in_ctx_val
+    self.ctx_repo = in_ctx_repo
 
     if in_ctx_id == 'CVE'
       self.site = "https://nvd.nist.gov/vuln/detail/CVE-#{in_ctx_val}"
@@ -117,7 +119,12 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
     elsif in_ctx_id == 'GHSA'
       # Handle both formats: with or without GHSA- prefix
       ghsa_id = in_ctx_val.start_with?('GHSA-') ? in_ctx_val : "GHSA-#{in_ctx_val}"
-      self.site = "https://github.com/advisories/#{ghsa_id}"
+      # Use repo-specific URL if repo is provided, otherwise use global format
+      if in_ctx_repo && !in_ctx_repo.empty?
+        self.site = "https://github.com/#{in_ctx_repo}/security/advisories/#{ghsa_id}"
+      else
+        self.site = "https://github.com/advisories/#{ghsa_id}"
+      end
     elsif in_ctx_id == 'URL'
       self.site = in_ctx_val.to_s
     elsif in_ctx_id == 'LOGO'
@@ -169,9 +176,13 @@ def from_s(str)
   # The context value of the reference, such as MS02-039
   #
   attr_reader :ctx_val
+  #
+  # The context repository for GHSA references (optional)
+  #
+  attr_reader :ctx_repo
 
 protected
 
-  attr_writer :site, :ctx_id, :ctx_val
+  attr_writer :site, :ctx_id, :ctx_val, :ctx_repo
 
 end
diff --git a/modules/auxiliary/admin/http/pihole_domains_api_exec.rb b/modules/auxiliary/admin/http/pihole_domains_api_exec.rb
@@ -26,7 +26,7 @@ def initialize(info = {})
           'SchneiderSec' # original PoC, discovery
         ],
         'References' => [
-          ['GHSA', '5cm9-6p3m-v259'],
+          ['GHSA', '5cm9-6p3m-v259', 'pi-hole/AdminLTE'],
           ['CVE', '2021-32706']
         ],
         'Targets' => [
diff --git a/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb b/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb
@@ -24,7 +24,7 @@ def initialize(info = {})
           'RicterZ' # original PoC, analysis
         ],
         'References' => [
-          [ 'GHSA', '6xvq-wj2x-3h3q' ],
+          ['GHSA', '6xvq-wj2x-3h3q', 'minio/minio'],
           [ 'CVE', '2023-28432']
         ],
         'Targets' => [
diff --git a/modules/auxiliary/gather/onedev_arbitrary_file_read.rb b/modules/auxiliary/gather/onedev_arbitrary_file_read.rb
@@ -27,7 +27,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2024-45309'],
-          ['GHSA', '7wg5-6864-v489']
+          ['GHSA', '7wg5-6864-v489', 'theonedev/onedev']
         ],
         'DisclosureDate' => '2024-10-19',
         'Notes' => {
diff --git a/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb b/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb
@@ -38,7 +38,7 @@ def initialize(info = {})
         'References' => [
           ['EDB', '51329'],
           ['URL', 'https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/'],
-          ['GHSA', '5p3f-rh28-8frw'],
+          ['GHSA', '5p3f-rh28-8frw', 'Icinga/icingaweb2'],
           ['URL', 'https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d'],
           ['CVE', '2022-24716'],
         ],
diff --git a/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb b/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb
@@ -21,7 +21,7 @@ def initialize
       'License' => MSF_LICENSE,
       'References' => [
         ['CVE', '2024-47176'],
-        ['GHSA', 'rj88-6mr5-rcw8'],
+        ['GHSA', 'rj88-6mr5-rcw8', 'OpenPrinting/cups-browsed'],
         ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ],
       ],
       'DefaultOptions' => { 'RPORT' => 631 },
diff --git a/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb b/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb
@@ -52,7 +52,7 @@ def initialize(info = {})
         ],
         'References' => [
           ['CVE', '2022-46169'],
-          ['GHSA', '6p93-p743-35gf'], # disclosure and technical details
+          ['GHSA', '6p93-p743-35gf', 'Cacti/cacti'], # disclosure and technical details
           ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC
           ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller
         ],
diff --git a/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb b/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2021-21307'],
           ['URL', 'https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643'],
-          ['GHSA', '2xvv-723c-8p7r'],
+          ['GHSA', '2xvv-723c-8p7r', 'lucee/lucee'],
           ['URL', 'https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md']
         ],
         'DisclosureDate' => '2021-01-15', # rootxharsh and iamnoooob's writeup
diff --git a/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb b/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb
@@ -42,7 +42,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2025-4653'],
           ['URL', 'https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/'],
-          ['GHSA', 'm4f8-9c8x-8f3f'],
+          ['GHSA', 'm4f8-9c8x-8f3f', 'h00die-gr3y/h00die-gr3y'],
           ['URL', 'https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653']
         ],
         'License' => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
@@ -37,7 +37,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2024-24578'],
           ['URL', 'https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578'],
-          ['GHSA', 'q967-q4j8-637h']
+          ['GHSA', 'q967-q4j8-637h', 'jens-maus/RaspberryMatic']
         ],
         'DisclosureDate' => '2024-03-16',
         'Platform' => ['unix', 'linux'],
diff --git a/modules/exploits/linux/http/roxy_wi_exec.rb b/modules/exploits/linux/http/roxy_wi_exec.rb
@@ -28,7 +28,7 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory
-          ['GHSA', '53r2-mq99-f532'], # Additional Information
+          ['GHSA', '53r2-mq99-f532', 'roxy-wi/roxy-wi'], # Additional Information
           ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch
           ['CVE', '2022-31137']
         ],
diff --git a/modules/exploits/linux/http/traccar_rce_upload.rb b/modules/exploits/linux/http/traccar_rce_upload.rb
@@ -22,8 +22,8 @@ def initialize(info = {})
           'Naveen Sunkavally' # Discovery CVE-2024-31214 and PoC
         ],
         'References' => [
-          [ 'GHSA', 'vhrw-72f6-gwp5' ],
-          [ 'GHSA', '3gxq-f2qj-c8v9' ],
+          ['GHSA', 'vhrw-72f6-gwp5', 'traccar/traccar'],
+          ['GHSA', '3gxq-f2qj-c8v9', 'traccar/traccar'],
           [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/'],
           [ 'CVE', '2024-31214'],
           [ 'CVE', '2024-24809']
diff --git a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb
@@ -32,7 +32,7 @@ def initialize(info = {})
         'Targets' => [[ 'Auto', {} ]],
         'Privileged' => true,
         'References' => [
-          [ 'GHSA', 'pmhq-4cxq-wj93' ],
+          [ 'GHSA', 'pmhq-4cxq-wj93', 'netdata/netdata' ],
           [ 'CVE', '2024-32019']
         ],
         'DisclosureDate' => '2024-04-12',
diff --git a/modules/exploits/linux/local/pihole_remove_commands_lpe.rb b/modules/exploits/linux/local/pihole_remove_commands_lpe.rb
@@ -42,7 +42,7 @@ def initialize(info = {})
         },
         'Privileged' => true,
         'References' => [
-          [ 'GHSA', '3597-244c-wrpj' ],
+          ['GHSA', '3597-244c-wrpj', 'pi-hole/pi-hole'],
           [ 'URL', 'https://www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt' ],
           [ 'CVE', '2021-29449' ]
         ],
diff --git a/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb b/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
           'NielsGaljaard' # discovery
         ],
         'References' => [
-          ['GHSA', 'c4cg-9275-6w44'],
+          ['GHSA', 'c4cg-9275-6w44', 'asterisk/asterisk'],
           ['CVE', '2024-42365']
         ],
         'Platform' => 'unix',
diff --git a/modules/exploits/multi/http/cacti_package_import_rce.rb b/modules/exploits/multi/http/cacti_package_import_rce.rb
@@ -36,7 +36,7 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'],
-          [ 'GHSA', '7cmj-g5qc-pj88' ],
+          ['GHSA', '7cmj-g5qc-pj88', 'Cacti/cacti'],
           [ 'CVE', '2024-25641']
         ],
         'Platform' => ['unix linux win'],
diff --git a/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb b/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb
@@ -38,8 +38,8 @@ def initialize(info = {})
           'Christophe De La Fuente' # Metasploit module
         ],
         'References' => [
-          [ 'GHSA', 'vr3c-38wh-g855' ], # SQLi
-          [ 'GHSA', 'pfh9-gwm6-86vp' ], # LFI (RCE)
+          ['GHSA', 'vr3c-38wh-g855', 'Cacti/cacti'], # SQLi
+          ['GHSA', 'pfh9-gwm6-86vp', 'Cacti/cacti'], # LFI (RCE)
           [ 'CVE', '2023-49085'], # SQLi
           [ 'CVE', '2023-49084'] # LFI (RCE)
         ],
diff --git a/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb b/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb
@@ -38,7 +38,7 @@ def initialize(info = {})
           'Christophe De La Fuente' # MSF module
         ],
         'References' => [
-          [ 'GHSA', '876v-gwgh-w57f' ],
+          ['GHSA', '876v-gwgh-w57f', 'mybb/mybb'],
           [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'],
           [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'],
           [ 'CVE', '2022-24734']
diff --git a/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb b/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb
@@ -134,13 +134,13 @@ def initialize(info = {})
           # The public exploit this module was inspired by
           ['URL', 'https://github.com/RickdeJager/cupshax'],
           # The cups-browsed GitHub security advisory
-          ['GHSA', 'rj88-6mr5-rcw8'],
+          ['GHSA', 'rj88-6mr5-rcw8', 'OpenPrinting/cups-browsed'],
           # The libcupsfilters GitHub security advisory
-          ['GHSA', 'w63j-6g73-wmg5'],
+          ['GHSA', 'w63j-6g73-wmg5', 'OpenPrinting/libcupsfilters'],
           # The libppd GitHub security advisory
-          ['GHSA', '7xfx-47qg-grp6'],
+          ['GHSA', '7xfx-47qg-grp6', 'OpenPrinting/libppd'],
           # The cups-filters GitHub security advisory
-          ['GHSA', 'p9rh-jxmq-gq47'],
+          ['GHSA', 'p9rh-jxmq-gq47', 'OpenPrinting/cups-filters'],
           # The IPP server implementation this module is based on
           ['URL', 'https://github.com/h2g2bob/ipp-server/']
         ],
diff --git a/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb b/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb
@@ -31,7 +31,7 @@ def initialize(info = {})
           'Zemnmez'
         ],
         'References' => [
-          ['GHSA', 'pw56-c55x-cm9m'],
+          ['GHSA', 'pw56-c55x-cm9m', 'google/security-research'],
           ['CVE', '2022-41034'],
           ['URL', 'https://github.com/andyhsu024/CVE-2022-41034']
         ],
diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb
@@ -30,7 +30,7 @@ def initialize(info = {})
           'whotwagner'    # Metasploit Module
         ],
         'References' => [
-          ['GHSA', 'h3c9-cmh8-7qpj'],
+          ['GHSA', 'h3c9-cmh8-7qpj', 'nextcloud/security-advisories'],
           ['CVE', '2023-26482']
         ],
         'Platform' => %w[linux unix],
diff --git a/modules/exploits/unix/webapp/zoneminder_snapshots.rb b/modules/exploits/unix/webapp/zoneminder_snapshots.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'CVE', '2023-26035' ],
-          [ 'GHSA', '72rg-h4vf-29gr' ]
+          ['GHSA', '72rg-h4vf-29gr', 'ZoneMinder/zoneminder']
         ],
         'Privileged' => false,
         'Platform' => ['linux', 'unix'],
diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
@@ -246,9 +246,10 @@ def check_ref_identifiers
         in_refs = false
       elsif in_super and line =~ /["']Notes["'][[:space:]]*=>/
         in_notes = true
-      elsif in_super and in_refs and line =~ /[^#]+\[[[:space:]]*['"](.+)['"][[:space:]]*,[[:space:]]*['"](.+)['"][[:space:]]*\]/
+      elsif in_super and in_refs and line =~ /[^#]+\[[[:space:]]*['"](.+)['"][[:space:]]*,[[:space:]]*['"](.+)['"][[:space:]]*(?:,[[:space:]]*['"](.+)['"])?[[:space:]]*\]/
         identifier = $1.strip.upcase
         value      = $2.strip
+        repo       = $3.strip if $3
 
         case identifier
         when 'CVE'
@@ -275,6 +276,7 @@ def check_ref_identifiers
           # Format: GHSA-xxxx-xxxx-xxxx or xxxx-xxxx-xxxx (where xxxx is 4 alphanumeric chars)
           ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
           warn("Invalid GHSA reference") if value !~ ghsa_pattern
+          # No specific validation for repo format yet, as it's an optional string
         when 'URL'
           if value =~ /^https?:\/\/cvedetails\.com\/cve/
             warn("Please use 'CVE' for '#{value}'")
