{}

{}

{}

{"bugzilla": {"description": "pagure: Pagure: Information disclosure via unrestricted reStructuredText include directive", "id": "2443259", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443259"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Pagure's rendering engine for reStructuredText (RST) files. An authenticated user can exploit an unrestricted `.. include::` directive within RST files to read arbitrary internal files from the server hosting Pagure. This information disclosure vulnerability allows unauthorized access to sensitive data on the server."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, restrict authenticated access to the Pagure instance to only trusted and authorized users. This operational control limits the attack surface by ensuring that only privileged individuals can interact with the vulnerable reStructuredText rendering engine. Implement strong authentication and authorization policies for Pagure users to minimize unauthorized access."}, "name": "CVE-2026-3312", "public_date": "2026-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3312\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3312"], "statement": "This vulnerability in Pagure's reStructuredText (RST) rendering engine allows an authenticated user to read arbitrary internal files from the server. This is due to the `.. include::` directive in the docutils library not being restricted or jailed during the rendering process within Pagure. Exploitation requires an authenticated user to craft a malicious RST file.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "pagure", "vendor": "pagure"}], "analysis": {"en": {"generated_at": "2026-03-17T14:20:29.037872+00:00", "value": {"mitigation_remediation": ["Check for and apply any available Pagure update or patch that restricts the \u2018.. include::\u2019 directive in RST files.", "If no patch is available, configure the RST rendering engine to disable or limit the include directive.", "Restrict editing rights to RST files to only users who require them and audit permissions regularly.", "Monitor Pagure logs for unexpected use of the \u2018.. include::\u2019 directive or attempts to read files."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Any Pagure installation that uses the default RST rendering engine without restrictions on the include directive is potentially affected. No specific version numbers are provided, so all instances that permit authenticated users to create or edit RST files could be vulnerable.", "description_and_impact": "The vulnerability is in Pagure\u2019s reStructuredText (RST) rendering engine. An authenticated user can use an unrestricted \u2018.. include::\u2019 directive to read any internal file on the server hosting Pagure, leading to disclosure of sensitive data. The weakness corresponds to a path traversal condition (CWE\u201122). This allows an attacker with edit rights to access files that should remain confidential, potentially exposing configuration, credentials, or other private information.", "risk_and_exploitability": "The CVSS score is 7.7, indicating high severity for confidentiality. Existence of an EPSS score is not reported and the vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated attacker, typically someone with permission to add or modify RST content. The attack vector is therefore an authenticated internal user or a compromised account. Once exploited, the attacker can read arbitrary files, compromising confidentiality of the system."}}}}, "created": "2026-03-18T12:13:36.229020+00:00", "updated": "2026-03-20T14:31:49.166007+00:00", "vendors": ["pagure", "pagure$PRODUCT$pagure"]}