<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-14T20:09:50.589718+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/3dcb8828-579d-44e1-96bf-cea259a8720d/export</id>
    <title>3dcb8828-579d-44e1-96bf-cea259a8720d</title>
    <updated>2026-07-14T20:09:50.603688+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cve.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "3dcb8828-579d-44e1-96bf-cea259a8720d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8F6J-263M-G72X", "type": "seen", "source": "https://gist.github.com/alon710/0adc313573f186411d15e2bc7c96b8d7", "content": "# GHSA-8F6J-263M-G72X: GHSA-8F6J-263M-G72X: OCSP Revocation Checking Bypass in Apple App Store Server Python Library\n\n&amp;gt; **CVSS Score:** 6.9\n&amp;gt; **Published:** 2026-07-13\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-8F6J-263M-G72X\n\n## Summary\nA cryptographic validation flaw in the Apple App Store Server Python Library allows an attacker to bypass Online Certificate Status Protocol (OCSP) revocation checks. When online verification is enabled, the library fails to validate temporal constraints on OCSP response payloads. This flaw enables network-positioned adversaries to perform OCSP replay attacks, forcing the application to accept JSON Web Signatures (JWS) signed by revoked certificates.\n\n## TL;DR\nAn input verification flaw in apple-store-server-library (&amp;lt;=3.1.1) allows attackers to replay expired OCSP responses, validating revoked certificates and bypassing signature authentication boundaries.\n\n## Technical Details\n\n- **CWE ID**: CWE-295, CWE-299\n- **Attack Vector**: Network\n- **CVSS v4.0**: 6.9 (Medium)\n- **Exploit Status**: none (theoretical)\n- **Vulnerable Versions**: &amp;gt;= 0.2.0, &amp;lt;= 3.1.1\n- **Fixed Version**: 3.1.2\n\n## Affected Systems\n\n- Apple App Store Server Python Library (app-store-server-library) on Python/PyPI environments\n- **app-store-server-library**: &amp;gt;= 0.2.0, &amp;lt;= 3.1.1 (Fixed in: `3.1.2`)\n\n## Mitigation\n\n- Upgrade Python dependency `app-store-server-library` to at least 3.1.2\n- Review security configurations to ensure clock synchronization protocols like NTP are active on all servers running verification tasks\n- Establish strict egress filtering to limit external network interactions if signature checking occurs in isolated execution units\n\n**Remediation Steps:**\n1. Identify all deployment nodes and virtual environments using `app-store-server-library`\n2. Modify requirement configurations (`requirements.txt`, `pyproject.toml`, or `Pipfile`) to specify `&amp;gt;=3.1.2`\n3. Re-run pip-audit or equivalent Software Composition Analysis (SCA) to verify package dependencies are secure\n\n## References\n\n- [Apple App Store Server Library Python Repository](https://github.com/apple/app-store-server-library-python)\n- [Security Researcher 0xmrma Profile](https://github.com/0xmrma)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8F6J-263M-G72X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-14T00:41:43.631436Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/3dcb8828-579d-44e1-96bf-cea259a8720d/export"/>
    <published>2026-07-14T00:41:43.631436+00:00</published>
  </entry>
</feed>
