GHSA-7Q3Q-5PX6-4C5P

Vulnerability from github – Published: 2026-03-11 00:37 – Updated: 2026-03-11 21:37
VLAI?
Summary
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval
Details

Impact

Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk.

When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs.

Patches

Fixed in Quill version v0.7.1

Workarounds

None

Credit

Anchore would like to thank opera-aklajn (Opera) for reporting this vulnerability

Resources

Severity ?
5.3 (Medium)
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/quill"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:37:44Z",
    "nvd_published_at": "2026-03-11T20:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nQuill before version `v0.7.1` contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple\u0027s notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk.\n\nWhen retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs.\n\n\n### Patches\n\nFixed in Quill version `v0.7.1`\n\n\n### Workarounds\n\nNone\n\n### Credit\n\nAnchore would like to thank opera-aklajn (Opera) for reporting this vulnerability\n\n### Resources\n\n- [Apple Get Submission Log API Documentation](https://developer.apple.com/documentation/notaryapi/get-submission-log)",
  "id": "GHSA-7q3q-5px6-4c5p",
  "modified": "2026-03-11T21:37:49Z",
  "published": "2026-03-11T00:37:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31959"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/quill/commit/e41d66a517c2dc20ad8e9fbccffbdc6ba5ef0020"
    },
    {
      "type": "WEB",
      "url": "https://developer.apple.com/documentation/notaryapi/get-submission-log"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/quill"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/quill/releases/tag/v0.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.