GHSA-7WW3-XVF5-CXWM

Vulnerability from github – Published: 2026-05-05 22:20 – Updated: 2026-05-05 22:20
VLAI?
Summary
ciguard: Web UI is missing HTTP defence-in-depth headers
Details

Summary

ciguard's FastAPI Web UI (src/ciguard/web/app.py) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on /api/docs (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).

Threat scenario

For local-only deployment (current intent): minimal — there's no untrusted browser context, no third-party hosting, no auth surface to protect.

For public hosting (PRD Slice 9 GitHub App or hosted dashboard, future): each missing header reduces a defence layer:

  • Missing CSP → injected XSS would have no second-line defence (first-line Jinja autoescape remains intact)
  • Missing X-Frame-Options → clickjacking against any UI button would be possible
  • Missing SRI on jsdelivr-hosted Swagger UI → if jsdelivr were compromised, attacker JS would run in the docs page context

Patch

  • New SecurityHeadersMiddleware at src/ciguard/web/security_headers.py injecting: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, Permissions-Policy interest-cohort=(), Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-origin, plus per-path CSP with /api/docs + /api/redoc carve-out for cdn.jsdelivr.net (Swagger UI / ReDoc dependency).
  • COEP intentionally NOT set: would break Swagger UI's cross-origin assets, and ciguard makes no SharedArrayBuffer use that would benefit.
  • Registered via app.add_middleware(SecurityHeadersMiddleware).
  • 6 regression tests in tests/test_web.py::TestSecurityHeaders.

Discovery

Found by OWASP ZAP baseline scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium per v3.1 thresholds)
  • CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N — first.org calc 4.3 (Low); GitHub's calc 2.1 (Low). All consistent at Low/borderline.

Verification

$ curl -sI http://127.0.0.1:8080/ | grep -E '^(X-Frame|X-Content|Referrer|Permissions|Cross-Origin|Content-Security):'
# Pre-fix: empty
# Post-fix: 7 headers present

Resources

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2.1 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ciguard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:20:04Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\nciguard\u0027s FastAPI Web UI (`src/ciguard/web/app.py`) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on `/api/docs` (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).\n\n## Threat scenario\n\nFor local-only deployment (current intent): minimal \u2014 there\u0027s no untrusted browser context, no third-party hosting, no auth surface to protect.\n\nFor public hosting (PRD Slice 9 GitHub App or hosted dashboard, future): each missing header reduces a defence layer:\n\n- Missing CSP \u2192 injected XSS would have no second-line defence (first-line Jinja autoescape remains intact)\n- Missing X-Frame-Options \u2192 clickjacking against any UI button would be possible\n- Missing SRI on jsdelivr-hosted Swagger UI \u2192 if jsdelivr were compromised, attacker JS would run in the docs page context\n\n## Patch\n\n- New `SecurityHeadersMiddleware` at `src/ciguard/web/security_headers.py` injecting: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, Permissions-Policy `interest-cohort=()`, Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-origin, plus per-path CSP with `/api/docs` + `/api/redoc` carve-out for cdn.jsdelivr.net (Swagger UI / ReDoc dependency).\n- COEP intentionally NOT set: would break Swagger UI\u0027s cross-origin assets, and ciguard makes no SharedArrayBuffer use that would benefit.\n- Registered via `app.add_middleware(SecurityHeadersMiddleware)`.\n- 6 regression tests in `tests/test_web.py::TestSecurityHeaders`.\n\n## Discovery\n\nFound by OWASP ZAP baseline scan during ciguard\u0027s first self-conducted pentest cycle, 2026-04-26.\n\n## CVSS Scoring\n\n- CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` \u2014 4.3 (Medium per v3.1 thresholds)\n- CVSS v4.0: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` \u2014 first.org calc 4.3 (Low); GitHub\u0027s calc 2.1 (Low). All consistent at Low/borderline.\n\n## Verification\n\n```\n$ curl -sI http://127.0.0.1:8080/ | grep -E \u0027^(X-Frame|X-Content|Referrer|Permissions|Cross-Origin|Content-Security):\u0027\n# Pre-fix: empty\n# Post-fix: 7 headers present\n```\n\n## Resources\n\n- Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2)\n- CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3)",
  "id": "GHSA-7ww3-xvf5-cxwm",
  "modified": "2026-05-05T22:20:04Z",
  "published": "2026-05-05T22:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-7ww3-xvf5-cxwm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jo-Jo98/ciguard"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ciguard: Web UI is missing HTTP defence-in-depth headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.