@blamejs/exceptd-skills 0.13.96 → 0.13.98

package/data/framework-control-gaps.json

@@ -38,6 +38,8 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -66,6 +68,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -76,6 +79,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1389,6 +1393,8 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-11392",
@@ -1551,6 +1557,7 @@
       "CVE-2025-64328",
       "CVE-2025-64446",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -1606,6 +1613,7 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1818,6 +1826,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1852,6 +1862,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -1863,6 +1874,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -2445,6 +2457,8 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
@@ -2614,6 +2628,7 @@
       "CVE-2025-64328",
       "CVE-2025-64446",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -2671,6 +2686,7 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -3737,10 +3753,14 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-64513",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-26190"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -4953,6 +4973,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -4983,6 +5005,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
@@ -4996,6 +5019,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5582,6 +5606,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5612,6 +5638,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5623,6 +5650,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5908,12 +5936,16 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-64513",
       "CVE-2026-20182",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-26190"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -4161,6 +4161,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-64513": {
+    "name": "Milvus Proxy Authentication Bypass via Forged Headers",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Milvus (CWE-287 forged-header auth bypass in the Proxy) lets an unauthenticated network attacker reach the vector database's operations and data, bypassing authentication.",
+      "privileges_required": "none (NVD/CNA AV:N / PR:N) - unauthenticated",
+      "complexity": "low (AC:L)",
+      "ai_factor": "The abused surface is the vector database - the RAG persistence layer that stores embeddings and the source documents (often PII) behind LLM applications. The lesson: vector databases are sensitive data stores, not caches; every API/management port (including metrics ports like 9091) must authenticate, default tokens must be replaced, and the DB must not be network-exposed. An auth bypass here exposes RAG data and enables retrieval poisoning."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the vector database's API/management surface."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, auth-bypass-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG data store whose API/management ports must authenticate."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions, often with default tokens and exposed management ports.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database storing RAG embeddings and source data must enforce authentication on every API and management/metrics port (including ports like Milvus 9091), reject forged/missing auth, replace default tokens, and never be exposed to untrusted networks. Upgrade Milvus to a patched release (2.4.24 / 2.5.21 / 2.6.5). The distinguishing test: from an unauthenticated client, attempt forged-header access to the Proxy and direct access to the metrics/management port on a staging instance and confirm both are refused.",
+        "evidence": "https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-26190": {
+    "name": "Milvus Port 9091 Missing Authentication / Weak Default Token",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Milvus (CWE-306 missing authentication on port 9091 with weak default tokens) lets an unauthenticated network attacker reach the vector database's operations and data, bypassing authentication.",
+      "privileges_required": "none (NVD/CNA AV:N / PR:N) - unauthenticated",
+      "complexity": "low (AC:L)",
+      "ai_factor": "The abused surface is the vector database - the RAG persistence layer that stores embeddings and the source documents (often PII) behind LLM applications. The lesson: vector databases are sensitive data stores, not caches; every API/management port (including metrics ports like 9091) must authenticate, default tokens must be replaced, and the DB must not be network-exposed. An auth bypass here exposes RAG data and enables retrieval poisoning."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the vector database's API/management surface."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, auth-bypass-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG data store whose API/management ports must authenticate."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions, often with default tokens and exposed management ports.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database storing RAG embeddings and source data must enforce authentication on every API and management/metrics port (including ports like Milvus 9091), reject forged/missing auth, replace default tokens, and never be exposed to untrusted networks. Upgrade Milvus to a patched release (2.5.27 / 2.6.10). The distinguishing test: from an unauthenticated client, attempt forged-header access to the Proxy and direct access to the metrics/management port on a staging instance and confirm both are refused.",
+        "evidence": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-4889": {
     "name": "BerriAI LiteLLM Config Code Injection via UI_LOGO_PATH / KMS",
     "lesson_date": "2026-05-25",
@@ -7533,6 +7633,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-6019": {
+    "name": "Anyscale Ray Dashboard cpu_profile Command Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-78 command injection via the dashboard cpu_profile parameter) lets an unauthenticated attacker execute OS commands on the dashboard host. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-h3xg-wv58-5p43",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6021": {
+    "name": "Anyscale Ray Dashboard Log API Local File Inclusion",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-22 path traversal / LFI in the dashboard log API) lets an unauthenticated attacker read arbitrary host files. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-0766": {
     "name": "Open WebUI Tool Module Code Injection RCE",
     "lesson_date": "2026-05-25",