diff --git a/2019/1xxx/CVE-2019-1551.json b/2019/1xxx/CVE-2019-1551.json index df2fe4d89e4..2e852d220cd 100644 --- a/2019/1xxx/CVE-2019-1551.json +++ b/2019/1xxx/CVE-2019-1551.json @@ -184,6 +184,11 @@ "refsource": "CONFIRM", "name": "https://www.tenable.com/security/tns-2021-10", "url": "https://www.tenable.com/security/tns-2021-10" + }, + { + "refsource": "MLIST", + "name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html" } ] } diff --git a/2021/23xxx/CVE-2021-23556.json b/2021/23xxx/CVE-2021-23556.json index 45d20a45aaa..758d50bb74e 100644 --- a/2021/23xxx/CVE-2021-23556.json +++ b/2021/23xxx/CVE-2021-23556.json @@ -48,24 +48,29 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334" + "refsource": "MISC", + "url": "https://github.com/Guake/guake/issues/1796", + "name": "https://github.com/Guake/guake/issues/1796" }, { - "refsource": "CONFIRM", - "url": "https://github.com/Guake/guake/issues/1796" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334", + "name": "https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334" }, { - "refsource": "CONFIRM", - "url": "https://github.com/Guake/guake/pull/2017" + "refsource": "MISC", + "url": "https://github.com/Guake/guake/pull/2017", + "name": "https://github.com/Guake/guake/pull/2017" }, { - "refsource": "CONFIRM", - "url": "https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888" + "refsource": "MISC", + "url": "https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888", + "name": "https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888" }, { - "refsource": "CONFIRM", - "url": "https://github.com/Guake/guake/releases" + "refsource": "MISC", + "url": "https://github.com/Guake/guake/releases", + "name": "https://github.com/Guake/guake/releases" } ] }, @@ -73,7 +78,7 @@ "description_data": [ { "lang": "eng", - "value": "The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method.\r\n\r\n**Note:**\r\nExploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.\n" + "value": "The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands." } ] }, diff --git a/2021/23xxx/CVE-2021-23632.json b/2021/23xxx/CVE-2021-23632.json index 91a71d5b7ac..2ac9bde62d0 100644 --- a/2021/23xxx/CVE-2021-23632.json +++ b/2021/23xxx/CVE-2021-23632.json @@ -48,8 +48,9 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-GIT-1568518" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-GIT-1568518", + "name": "https://snyk.io/vuln/SNYK-JS-GIT-1568518" } ] }, @@ -57,7 +58,7 @@ "description_data": [ { "lang": "eng", - "value": "All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands.\r\n\r\n Steps to Reproduce\r\n\r\n1. Create a file named exploit.js with the following content:\r\n\r\n js\r\n var Git = require(\"git\").Git;\r\n\r\n var repo = new Git(\"repo-test\");\r\n\r\n var user_input = \"version; date\";\r\n\r\n repo.git(user_input, function(err, result) {\r\n console.log(result);\r\n })\r\n \r\n2. In the same directory as exploit.js, run npm install git.\r\n3. Run exploit.js: node exploit.js.\r\n\r\nYou should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.\n" + "value": "All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require(\"git\").Git; var repo = new Git(\"repo-test\"); var user_input = \"version; date\"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work." } ] }, diff --git a/2021/23xxx/CVE-2021-23771.json b/2021/23xxx/CVE-2021-23771.json index 31a35cee033..5f1c978ef01 100644 --- a/2021/23xxx/CVE-2021-23771.json +++ b/2021/23xxx/CVE-2021-23771.json @@ -66,12 +66,14 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", + "name": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946" }, { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "name": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587" } ] }, @@ -79,7 +81,7 @@ "description_data": [ { "lang": "eng", - "value": "This affects all versions of package notevil; all versions of package argencoders-notevil.\n It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype.\r\n\r\n**Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).\r\n\r\n" + "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)." } ] }, diff --git a/2021/44xxx/CVE-2021-44908.json b/2021/44xxx/CVE-2021-44908.json index 0e775f61864..d4e912e4785 100644 --- a/2021/44xxx/CVE-2021-44908.json +++ b/2021/44xxx/CVE-2021-44908.json @@ -1,17 +1,71 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-44908", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-44908", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules()." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip", + "refsource": "MISC", + "name": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip" + }, + { + "url": "https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32", + "refsource": "MISC", + "name": "https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32" + }, + { + "refsource": "MISC", + "name": "https://github.com/balderdashy/sails/issues/7209", + "url": "https://github.com/balderdashy/sails/issues/7209" } ] } diff --git a/2021/45xxx/CVE-2021-45793.json b/2021/45xxx/CVE-2021-45793.json index e1ec9f53fe2..64eb3431d07 100644 --- a/2021/45xxx/CVE-2021-45793.json +++ b/2021/45xxx/CVE-2021-45793.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-45793", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-45793", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/slims/slims9_bulian/issues/123", + "refsource": "MISC", + "name": "https://github.com/slims/slims9_bulian/issues/123" } ] } diff --git a/2021/45xxx/CVE-2021-45794.json b/2021/45xxx/CVE-2021-45794.json index 9988a6fe12c..8b6c1765967 100644 --- a/2021/45xxx/CVE-2021-45794.json +++ b/2021/45xxx/CVE-2021-45794.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-45794", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-45794", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/slims/slims9_bulian/issues/124", + "refsource": "MISC", + "name": "https://github.com/slims/slims9_bulian/issues/124" } ] } diff --git a/2022/0xxx/CVE-2022-0748.json b/2022/0xxx/CVE-2022-0748.json index ba62986c000..a0a7a762920 100644 --- a/2022/0xxx/CVE-2022-0748.json +++ b/2022/0xxx/CVE-2022-0748.json @@ -48,8 +48,9 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-POSTLOADER-2403737" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-POSTLOADER-2403737", + "name": "https://snyk.io/vuln/SNYK-JS-POSTLOADER-2403737" } ] }, @@ -57,7 +58,7 @@ "description_data": [ { "lang": "eng", - "value": "The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.\r\n\r\n" + "value": "The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed." } ] }, diff --git a/2022/0xxx/CVE-2022-0749.json b/2022/0xxx/CVE-2022-0749.json index 20dd2bb858f..5d8857efacc 100644 --- a/2022/0xxx/CVE-2022-0749.json +++ b/2022/0xxx/CVE-2022-0749.json @@ -48,16 +48,19 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-DOTNET-SINGOOCMSUTILITY-2312979" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-DOTNET-SINGOOCMSUTILITY-2312979", + "name": "https://snyk.io/vuln/SNYK-DOTNET-SINGOOCMSUTILITY-2312979" }, { - "refsource": "CONFIRM", - "url": "https://github.com/SinGooCMS/SinGooCMSUtility/issues/1" + "refsource": "MISC", + "url": "https://github.com/SinGooCMS/SinGooCMSUtility/issues/1", + "name": "https://github.com/SinGooCMS/SinGooCMSUtility/issues/1" }, { - "refsource": "CONFIRM", - "url": "https://github.com/SinGooCMS/SinGooCMSUtility/blob/master/SinGooCMS.Utility/Net/SocketClient.cs" + "refsource": "MISC", + "url": "https://github.com/SinGooCMS/SinGooCMSUtility/blob/master/SinGooCMS.Utility/Net/SocketClient.cs", + "name": "https://github.com/SinGooCMS/SinGooCMSUtility/blob/master/SinGooCMS.Utility/Net/SocketClient.cs" } ] }, @@ -65,7 +68,7 @@ "description_data": [ { "lang": "eng", - "value": "This affects all versions of package SinGooCMS.Utility.\n The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.\n" + "value": "This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter." } ] }, diff --git a/2022/0xxx/CVE-2022-0778.json b/2022/0xxx/CVE-2022-0778.json index b00594f4e29..1d4fb3b798e 100644 --- a/2022/0xxx/CVE-2022-0778.json +++ b/2022/0xxx/CVE-2022-0778.json @@ -97,6 +97,16 @@ "refsource": "DEBIAN", "name": "DSA-5103", "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "refsource": "MLIST", + "name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html" + }, + { + "refsource": "MLIST", + "name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2953-1] openssl1.0 security update", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html" } ] } diff --git a/2022/1xxx/CVE-2022-1002.json b/2022/1xxx/CVE-2022-1002.json new file mode 100644 index 00000000000..52216687b1a --- /dev/null +++ b/2022/1xxx/CVE-2022-1002.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-1002", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/1xxx/CVE-2022-1003.json b/2022/1xxx/CVE-2022-1003.json new file mode 100644 index 00000000000..6e7c12adbad --- /dev/null +++ b/2022/1xxx/CVE-2022-1003.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-1003", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/21xxx/CVE-2022-21221.json b/2022/21xxx/CVE-2022-21221.json index a2fc81da617..a1a7b74dc81 100644 --- a/2022/21xxx/CVE-2022-21221.json +++ b/2022/21xxx/CVE-2022-21221.json @@ -48,24 +48,29 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866", + "name": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866" }, { - "refsource": "CONFIRM", - "url": "https://github.com/valyala/fasthttp/issues/1226" + "refsource": "MISC", + "url": "https://github.com/valyala/fasthttp/issues/1226", + "name": "https://github.com/valyala/fasthttp/issues/1226" }, { - "refsource": "CONFIRM", - "url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1" + "refsource": "MISC", + "url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1", + "name": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1" }, { - "refsource": "CONFIRM", - "url": "https://github.com/valyala/fasthttp/commit/15262ecf3c602364639d465daba1e7f3604d00e8" + "refsource": "MISC", + "url": "https://github.com/valyala/fasthttp/commit/15262ecf3c602364639d465daba1e7f3604d00e8", + "name": "https://github.com/valyala/fasthttp/commit/15262ecf3c602364639d465daba1e7f3604d00e8" }, { - "refsource": "CONFIRM", - "url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0" + "refsource": "MISC", + "url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0", + "name": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0" } ] }, @@ -73,7 +78,7 @@ "description_data": [ { "lang": "eng", - "value": "The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path.\r\n\r\n**Note:** This security issue impacts Windows users only.\n" + "value": "The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only." } ] }, diff --git a/2022/25xxx/CVE-2022-25296.json b/2022/25xxx/CVE-2022-25296.json index a851ae988e1..7739c3dc8a5 100644 --- a/2022/25xxx/CVE-2022-25296.json +++ b/2022/25xxx/CVE-2022-25296.json @@ -48,8 +48,9 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-2342623" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-2342623", + "name": "https://snyk.io/vuln/SNYK-JS-BODYMEN-2342623" } ] }, @@ -57,7 +58,7 @@ "description_data": [ { "lang": "eng", - "value": "The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.\r\n\r\n**Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897)\r\n\r\n" + "value": "The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897)" } ] }, diff --git a/2022/25xxx/CVE-2022-25352.json b/2022/25xxx/CVE-2022-25352.json index c6a55bd5255..0edfb109d01 100644 --- a/2022/25xxx/CVE-2022-25352.json +++ b/2022/25xxx/CVE-2022-25352.json @@ -48,16 +48,19 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117", + "name": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117" }, { - "refsource": "CONFIRM", - "url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22" + "refsource": "MISC", + "url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22", + "name": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22" }, { - "refsource": "CONFIRM", - "url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1" + "refsource": "MISC", + "url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1", + "name": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1" } ] }, @@ -65,7 +68,7 @@ "description_data": [ { "lang": "eng", - "value": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js.\r\n\r\n\r\n**Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)\r\n\r\n" + "value": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)" } ] }, diff --git a/2022/25xxx/CVE-2022-25354.json b/2022/25xxx/CVE-2022-25354.json index 6a009fe3367..ea7b89cd1a9 100644 --- a/2022/25xxx/CVE-2022-25354.json +++ b/2022/25xxx/CVE-2022-25354.json @@ -48,16 +48,19 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-SETIN-2388571" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-SETIN-2388571", + "name": "https://snyk.io/vuln/SNYK-JS-SETIN-2388571" }, { - "refsource": "CONFIRM", - "url": "https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5" + "refsource": "MISC", + "url": "https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5", + "name": "https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5" }, { - "refsource": "CONFIRM", - "url": "https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24" + "refsource": "MISC", + "url": "https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24", + "name": "https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24" } ] }, @@ -65,7 +68,7 @@ "description_data": [ { "lang": "eng", - "value": "The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it.\r\n\r\n**Note:** \r\nThis vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)\r\n\r\n" + "value": "The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)" } ] }, diff --git a/2022/25xxx/CVE-2022-25760.json b/2022/25xxx/CVE-2022-25760.json index 025896ff24a..19a995ee515 100644 --- a/2022/25xxx/CVE-2022-25760.json +++ b/2022/25xxx/CVE-2022-25760.json @@ -48,12 +48,14 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099", + "name": "https://snyk.io/vuln/SNYK-JS-ACCESSLOG-2312099" }, { - "refsource": "CONFIRM", - "url": "https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6" + "refsource": "MISC", + "url": "https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6", + "name": "https://github.com/carlos8f/node-accesslog/blob/master/lib/compile.js%23L6" } ] }, @@ -61,7 +63,7 @@ "description_data": [ { "lang": "eng", - "value": "All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization.\r\nIf (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.\r\n\r\n" + "value": "All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on." } ] },