@blamejs/exceptd-skills 0.13.85 → 0.13.86

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/data/_indexes/_meta.json +9 -9
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +770 -0
  6. package/data/atlas-ttps.json +3 -0
  7. package/data/attack-techniques.json +4 -0
  8. package/data/cve-catalog.json +209 -0
  9. package/data/cwe-catalog.json +2 -0
  10. package/data/framework-control-gaps.json +16 -0
  11. package/data/zeroday-lessons.json +100 -0
  12. package/manifest.json +44 -44
  13. package/package.json +2 -2
  14. package/sbom.cdx.json +25 -25
package/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.86 — 2026-05-25
4
+
5
+ CVE catalog — Ollama API path traversal. Adds the two path-traversal flaws in Ollama, the most widely used local LLM runtime. **CVE-2024-37032** (Wiz "Probllama", CWE-22, NIST CVSS 8.8) — Ollama does not validate that a model-blob digest is a 64-character hex SHA256, so a manifest from a rogue registry embeds traversal sequences that make a model pull write attacker content to an arbitrary path, achieving remote code execution; fixed in 0.1.34. **CVE-2024-39722** (Oligo "More Models, More ProbLLMs", CWE-22, NIST CVSS 7.5) — the api/push route discloses host file existence via path traversal to an unauthenticated caller; fixed in 0.1.46. Both map ATLAS AML.T0049 (+ AML.T0010 for the rogue-registry RCE) and ATT&CK T1190 (+ T1059 / T1083); their shared zero-day lesson (NEW-CTRL-094) requires the runtime API to validate digests and path parameters before filesystem access, stay off untrusted networks, and pull only from trusted registries. CVE count 351 → 353.
6
+
3
7
  ## 0.13.85 — 2026-05-25
4
8
 
5
9
  CVE catalog — ShellTorch (PyTorch TorchServe model-server takeover). Adds the Oligo-disclosed chain that took over thousands of exposed TorchServe instances, including at major organizations. **CVE-2023-43654** (CWE-918, NIST CVSS 9.8) — the TorchServe management API registers a model from any remote URL (SSRF), and because the management console binds to all interfaces by default with no authentication, this is unauthenticated remote code execution; fixed in 0.8.2. **CVE-2022-1471** (CWE-502/20, NIST CVSS 9.8, CNA 8.3) — the deserialization leg: SnakeYAML's default `Constructor` instantiates arbitrary types from untrusted YAML, so the model config TorchServe parses becomes code execution; fixed in SnakeYAML 2.0 (SafeConstructor default). Both map MITRE ATLAS (AML.T0049 / AML.T0010 / AML.T0011.000) and ATT&CK T1190 / T1059, and their shared zero-day lesson (NEW-CTRL-093) requires the model-server management API to authenticate, bind to loopback, allow-list model sources, and parse config with safe deserializers. CVE count 349 → 351.
package/data/_indexes/_meta.json CHANGED
@@ -1,21 +1,21 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-25T19:31:45.168Z",
3
+ "generated_at": "2026-05-25T20:03:36.367Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "a749a97b394837ad068e664902920acade30392977ae06dec3d523d3b7f69f54",
8
- "data/atlas-ttps.json": "095a2d70b41e0010d3997fc9f6f36c22fa0b508e6c398a247979bd855007e27b",
9
- "data/attack-techniques.json": "5afbe16ba1126d5a9af6873b018446108e466828a64dc5e4f3c0234eb5da9184",
10
- "data/cve-catalog.json": "5471860d403e0a96cae1022ba8aa1515932f20364efede9231ccbf6990a29783",
11
- "data/cwe-catalog.json": "320acd6f332964646aa053742156942315f2167751c1c714afa452d5195ecc54",
7
+ "manifest.json": "7c9fdfd1cffc4498b847f777943ec4aa07d98aa8f5aadf77f60c83d93fccc3f2",
8
+ "data/atlas-ttps.json": "af3a2274f30e450efb1db2e00f1f328dd512a4d5b4c2ea4a58074621719e800f",
9
+ "data/attack-techniques.json": "927e61dab97fc54f798e33dd47649133e3e97c61e1f07661fc6d380e8034532b",
10
+ "data/cve-catalog.json": "27489dcdeba658f3c6142f8df1c5eb739f9b4e096ca713321d3ad667a0792db3",
11
+ "data/cwe-catalog.json": "af3be094b3273dd7214a792fe4606d74026b42e9e5abf63227b4a57d270dcdf0",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "f26a4b6dd58ee7e4f6040c1c8b24435a6d23ea031157dfa6df1611459cb76eb1",
15
+ "data/framework-control-gaps.json": "b4155147d2a79b8acb7373445716327163c0714aabaf83229d07f724f6f280ca",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
18
- "data/zeroday-lessons.json": "f84e5e332ebcdef7afb6fe3ebd9c665aaa21b84ddcdc67bbb2e909cdfd36227f",
18
+ "data/zeroday-lessons.json": "0f8da4cff30862c76ac0e105ee1e10273fa0e43fffdec4303916b97bb36941d7",
19
19
  "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
20
20
  "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
21
21
  "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
72
72
  "dlp_refs": 0
73
73
  },
74
74
  "trigger_table_entries": 538,
75
- "chains_cve_entries": 340,
75
+ "chains_cve_entries": 342,
76
76
  "chains_cwe_entries": 171,
77
77
  "jurisdictions_indexed": 29,
78
78
  "handoff_dag_nodes": 42,
package/data/_indexes/activity-feed.json CHANGED
@@ -149,7 +149,7 @@
149
149
  "artifact": "data/cve-catalog.json",
150
150
  "path": "data/cve-catalog.json",
151
151
  "schema_version": "1.0.0",
152
- "entry_count": 351
152
+ "entry_count": 353
153
153
  },
154
154
  {
155
155
  "date": "2026-05-18",
@@ -165,7 +165,7 @@
165
165
  "artifact": "data/zeroday-lessons.json",
166
166
  "path": "data/zeroday-lessons.json",
167
167
  "schema_version": "1.1.0",
168
- "entry_count": 346
168
+ "entry_count": 348
169
169
  },
170
170
  {
171
171
  "date": "2026-05-17",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -62,7 +62,7 @@
62
62
  "rebuild_after_days": 365,
63
63
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
64
64
  },
65
- "entry_count": 351,
65
+ "entry_count": 353,
66
66
  "sample_keys": [
67
67
  "CVE-2025-53773",
68
68
  "CVE-2026-30615",
@@ -238,7 +238,7 @@
238
238
  "rebuild_after_days": 365,
239
239
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
240
240
  },
241
- "entry_count": 346,
241
+ "entry_count": 348,
242
242
  "sample_keys": [
243
243
  "CVE-2026-31431",
244
244
  "CVE-2025-53773",