admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-07-25 23:00:34 +00:00
parent 08b7f4567e
commit 08edc28ced
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
2 changed files with 136 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
2022/41xxx/CVE-2022-41906.json
View File

@ -1,93 +1,96 @@
{
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-41906",
"STATE": "PUBLIC",
"TITLE": "OpenSearch Notifications is vulnerable to Server-Side Request Forgery (SSRF) "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "notifications",
"version": {
"version_data": [
{
"version_value": "< 2.2.1"
}
]
}
}
]
},
"vendor_name": "opensearch-project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2022-41906",
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds."
"value": "OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. \n"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
"value": "CWE-918: Server-Side Request Forgery (SSRF)",
"cweId": "CWE-918"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "opensearch-project",
"product": {
"product_data": [
{
"product_name": "notifications",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.2.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"name": "https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw",
"refsource": "CONFIRM",
"url": "https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw"
"url": "https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw",
"refsource": "MISC",
"name": "https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw"
},
{
"name": "https://github.com/opensearch-project/notifications/pull/496",
"url": "https://github.com/opensearch-project/notifications/pull/496",
"refsource": "MISC",
"url": "https://github.com/opensearch-project/notifications/pull/496"
"name": "https://github.com/opensearch-project/notifications/pull/496"
},
{
"name": "https://github.com/opensearch-project/notifications/pull/507",
"url": "https://github.com/opensearch-project/notifications/pull/507",
"refsource": "MISC",
"url": "https://github.com/opensearch-project/notifications/pull/507"
"name": "https://github.com/opensearch-project/notifications/pull/507"
}
]
},
"source": {
"advisory": "GHSA-pfc4-3436-jgrw",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
]
}
}

81
2023/38xxx/CVE-2023-38503.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-38503",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"cweId": "CWE-200"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "directus",
"product": {
"product_data": [
{
"product_name": "directus",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 10.3.0, < 10.5.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98",
"refsource": "MISC",
"name": "https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98"
},
{
"url": "https://github.com/directus/directus/pull/19155",
"refsource": "MISC",
"name": "https://github.com/directus/directus/pull/19155"
}
]
},
"source": {
"advisory": "GHSA-gggm-66rh-pp98",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
]
}