{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:40:10.481Z", "datePublished": "2026-03-11T19:30:46.584Z", "dateUpdated": "2026-03-12T19:58:59.998Z"}, "containers": {"cna": {"title": "SSRF in Quill via unvalidated URL from Apple notarization log retrieval", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p"}], "affected": [{"vendor": "anchore", "product": "quill", "versions": [{"version": "< 0.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:30:46.584Z"}, "descriptions": [{"lang": "en", "value": "Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1."}], "source": {"advisory": "GHSA-7q3q-5px6-4c5p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:58:50.245423Z", "id": "CVE-2026-31959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:58:59.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:58:50.245423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:58:56.705Z"}}], "cna": {"title": "SSRF in Quill via unvalidated URL from Apple notarization log retrieval", "source": {"advisory": "GHSA-7q3q-5px6-4c5p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anchore", "product": "quill", "versions": [{"status": "affected", "version": "< 0.7.1"}]}], "references": [{"url": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p", "name": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:30:46.584Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31959", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:58:59.998Z", "dateReserved": "2026-03-10T15:40:10.481Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:30:46.584Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*", "matchCriteriaId": "1436F241-3681-40EF-825B-6E7F91E2042B", "versionEndIncluding": "0.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1."}, {"lang": "es", "value": "Quill proporciona firma binaria de mac y notarizaci\u00f3n simple desde cualquier plataforma. Quill antes de la versi\u00f3n v0.7.1 contiene una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) al intentar obtener los registros de env\u00edo de notarizaci\u00f3n de Apple. La explotaci\u00f3n requiere la capacidad de modificar respuestas de la API del servicio de notarizaci\u00f3n de Apple, lo cual no es posible bajo condiciones de red est\u00e1ndar debido a HTTPS con validaci\u00f3n adecuada de certificados TLS; sin embargo, entornos con proxies de intercepci\u00f3n TLS (comunes en redes corporativas), autoridades de certificaci\u00f3n comprometidas, u otras violaciones de l\u00edmites de confianza est\u00e1n en riesgo. Al recuperar los registros de env\u00edo, Quill obtiene una URL proporcionada en la respuesta de la API sin validar que el esquema sea https o que el host no apunte a una direcci\u00f3n IP local o de multidifusi\u00f3n. Un atacante que puede manipular la respuesta puede proporcionar una URL arbitraria, haciendo que el cliente de Quill emita peticiones HTTP o HTTPS a destinos de red controlados por el atacante o internos. Esto podr\u00eda llevar a la exfiltraci\u00f3n de datos sensibles como credenciales de proveedores de la nube o respuestas de servicios internos. Tanto la CLI de Quill como la biblioteca se ven afectadas cuando se usan para recuperar los registros de env\u00edo de notarizaci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en 0.7.1."}], "id": "CVE-2026-31959", "lastModified": "2026-03-16T19:24:00.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:16.777", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "quill", "source": "cna", "vendor": "anchore"}, "product": "quill", "vendor": "anchore"}], "analysis": {"en": {"generated_at": "2026-03-17T15:47:12.098660+00:00", "value": {"mitigation_remediation": ["Apply Quill update to version 0.7.1 or later (official CNA solution).", "If immediate update is not possible, restrict outbound network access for Quill by implementing firewall or proxy rules that block arbitrary URL fetching. "], "summary": {"action": "Immediate Patch", "impact": "Server-Side Request Forgery leading to potential exfiltration of internal data"}, "threat_synthesis": {"affected_systems": "The affected product is Quill from anchore. All releases before version 0.7.1 (including v0.6 and earlier) are vulnerable. Both the Quill CLI and its library API can be used to trigger the flaw.", "description_and_impact": "Quill, a tool for signing and notarizing macOS binaries, contains an SSRF vulnerability in versions prior to v0.7.1. When retrieving Apple notarization submission logs, Quill downloads a URL supplied in Apple's API response without validating that it uses https or that the host is a public domain. Exploitation requires an attacker to modify that API response, which is infeasible under normal HTTPS conditions but possible when TLS\u2011intercepting proxies, compromised certificate authorities, or other trust violations exist. An attacker who succeeds can cause Quill to issue requests to internal or attacker\u2011controlled servers, potentially exfiltrating sensitive data such as cloud credentials or internal service responses.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation, and the flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to tamper with the Apple notarization service response, a capability that typically demands a compromised CA, TLS\u2011intercepting proxy, or similar network trust violation. Thus the attack vector is limited, but environments with such network controls remain at risk."}}}}, "created": "2026-03-12T09:56:42.092034+00:00", "updated": "2026-03-20T15:29:16.625182+00:00", "vendors": ["anchore", "anchore$PRODUCT$quill"]}