From 0d9831b73454ad2879259462350056db524a29a9 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Mon, 21 Nov 2022 19:00:35 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2019/20xxx/CVE-2019-20417.json | 2 +- 2022/2xxx/CVE-2022-2154.json | 6 +- 2022/3xxx/CVE-2022-3388.json | 127 +++++++++++++++++++++++++++++++-- 2022/40xxx/CVE-2022-40157.json | 60 ++-------------- 2022/40xxx/CVE-2022-40158.json | 60 ++-------------- 2022/40xxx/CVE-2022-40161.json | 60 ++-------------- 2022/41xxx/CVE-2022-41852.json | 60 ++-------------- 2022/4xxx/CVE-2022-4104.json | 18 +++++ 8 files changed, 161 insertions(+), 232 deletions(-) create mode 100644 2022/4xxx/CVE-2022-4104.json diff --git a/2019/20xxx/CVE-2019-20417.json b/2019/20xxx/CVE-2019-20417.json index eb27a6a0f67..87e5fa8c596 100644 --- a/2019/20xxx/CVE-2019-20417.json +++ b/2019/20xxx/CVE-2019-20417.json @@ -11,7 +11,7 @@ "description_data": [ { "lang": "eng", - "value": "NOTE: This candidate is a duplicate of CVE-2019-15011. All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-15011. Reason: This candidate is a reservation duplicate of CVE-2019-15011. Notes: All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2022/2xxx/CVE-2022-2154.json b/2022/2xxx/CVE-2022-2154.json index df69da36b18..ed0aa48764e 100644 --- a/2022/2xxx/CVE-2022-2154.json +++ b/2022/2xxx/CVE-2022-2154.json @@ -1,17 +1,17 @@ { - "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", + "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-2154", - "ASSIGNER": "cert@cert.org", + "ASSIGNER": "cve@mitre.org", "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "Duplicate to Intel's CVE-2022-34345. It is also identified by Intel as INTEL-SA-00712, Binarly as BRLY-2022-015." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-34345. Reason: This candidate is a reservation duplicate of CVE-2022-34345. Notes: All CVE users should reference CVE-2022-34345 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2022/3xxx/CVE-2022-3388.json b/2022/3xxx/CVE-2022-3388.json index 912d3f8b212..adae693cbd5 100644 --- a/2022/3xxx/CVE-2022-3388.json +++ b/2022/3xxx/CVE-2022-3388.json @@ -1,17 +1,136 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-3388", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cybersecurity@hitachienergy.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Improper Input Validation vulnerability in Hitachi Energy MicroSCADA Pro SYS600 (Monitor Pro modules), Hitachi Energy MicroSCADA X SYS600 (Monitor Pro modules) allows File Content Injection." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation", + "cweId": "CWE-20" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Hitachi Energy", + "product": { + "product_data": [ + { + "product_name": "MicroSCADA Pro SYS600", + "version": { + "version_data": [ + { + "version_value": "9.0", + "version_affected": "=" + } + ] + } + }, + { + "product_name": "MicroSCADA X SYS600", + "version": { + "version_data": [ + { + "version_value": "10.0", + "version_affected": "=" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000123&LanguageCode=en&DocumentPartId=&Action=Launch&elqaid=4293&elqat=1", + "refsource": "MISC", + "name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000123&LanguageCode=en&DocumentPartId=&Action=Launch&elqaid=4293&elqat=1" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "advisory": "8DBD000123", + "discovery": "INTERNAL" + }, + "work_around": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "\n\nRecommended security practices and firewall configurations can help protect a process control network from\nattacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and\nare separated from other networks by means of a firewall system that has a minimal number of ports exposed,\nand others that have to be evaluated case by case. Process control systems should not be used for Internet\nsurfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.\nWe recommend following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X\nCyber Security Deployment Guideline.\n\n
" + } + ], + "value": "\nRecommended security practices and firewall configurations can help protect a process control network from\nattacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and\nare separated from other networks by means of a firewall system that has a minimal number of ports exposed,\nand others that have to be evaluated case by case. Process control systems should not be used for Internet\nsurfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be\u00a0carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.\nWe recommend following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X\nCyber Security Deployment Guideline.\n\n\n" + } + ], + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "For SYS600 9.x: update to at SYS600 version SYS600 9.4 FP2 Hotfix 5 when it is released or upgrade to at least SYS600 version 10.4.1.
\n\nA requirement to install SYS600 9.4 FP2 Hotfix 5 is to have at least\nthe SYS600 9.4 FP2 Hotfix 4 installed.

\n\nCPE: 
cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.0:*:*:*:*:*:*:*
\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.1:*:*:*:*:*:*:*\n\n
\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.2:*:*:*:*:*:*:*\n\n
\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.3:*:*:*:*:*:*:*\n\n
\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:*:*:*:*:*:*:*\n\n

" + } + ], + "value": "For SYS600 9.x: update to at SYS600 version SYS600 9.4 FP2\u00a0Hotfix 5 when it is released or upgrade to at least SYS600 version 10.4.1.\n\n\nA requirement to install SYS600 9.4 FP2 Hotfix 5 is to have at least\nthe SYS600 9.4 FP2 Hotfix 4 installed.\n\n \n\nCPE:\u00a0\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.0:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.1:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.2:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.3:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:*:*:*:*:*:*:*\n\n\n\n" + }, + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "\n\nFor SYS600 10.x update to at least SYS600 version 10.4.1\nOr apply general mitigation factors.

\n\n\nCPE: 
cpe:2.3:a:hitachienergy:microscada_x_sys600:10:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1.1:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*
cpe:2.3:a:hitachienergy:microscada_x_sys600:10.4:*:*:*:*:*:*:*

" + } + ], + "value": "\nFor SYS600 10.x update to at least SYS600 version 10.4.1\nOr apply general mitigation factors.\n\n\n\n\nCPE:\u00a0\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.1:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.1.1:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*\ncpe:2.3:a:hitachienergy:microscada_x_sys600:10.4:*:*:*:*:*:*:*\n\n" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2022/40xxx/CVE-2022-40157.json b/2022/40xxx/CVE-2022-40157.json index bd3f53b5e6f..a88860e0668 100644 --- a/2022/40xxx/CVE-2022-40157.json +++ b/2022/40xxx/CVE-2022-40157.json @@ -1,70 +1,18 @@ { - "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", + "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-40157", - "ASSIGNER": "security@apache.org", - "STATE": "PUBLIC" + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-121 Stack-based Buffer Overflow", - "cweId": "CWE-121" - } - ] - } - ] - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "jxpath", - "product": { - "product_data": [ - { - "product_name": "jxpath", - "version": { - "version_data": [ - { - "version_value": "unspecified", - "version_affected": "=" - } - ] - } - } - ] - } - } - ] - } - }, - "references": { - "reference_data": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47061", - "refsource": "MISC", - "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47061" - } - ] - }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, - "source": { - "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/40xxx/CVE-2022-40158.json b/2022/40xxx/CVE-2022-40158.json index 08f7f1f7203..a14796d1f91 100644 --- a/2022/40xxx/CVE-2022-40158.json +++ b/2022/40xxx/CVE-2022-40158.json @@ -1,70 +1,18 @@ { - "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", + "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-40158", - "ASSIGNER": "security@apache.org", - "STATE": "PUBLIC" + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-121 Stack-based Buffer Overflow", - "cweId": "CWE-121" - } - ] - } - ] - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "jxpath", - "product": { - "product_data": [ - { - "product_name": "jxpath", - "version": { - "version_data": [ - { - "version_value": "unspecified", - "version_affected": "=" - } - ] - } - } - ] - } - } - ] - } - }, - "references": { - "reference_data": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47058", - "refsource": "MISC", - "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47058" - } - ] - }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, - "source": { - "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/40xxx/CVE-2022-40161.json b/2022/40xxx/CVE-2022-40161.json index d3f063a23ba..e43353c844d 100644 --- a/2022/40xxx/CVE-2022-40161.json +++ b/2022/40xxx/CVE-2022-40161.json @@ -1,70 +1,18 @@ { - "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", + "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-40161", - "ASSIGNER": "security@apache.org", - "STATE": "PUBLIC" + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-121 Stack-based Buffer Overflow", - "cweId": "CWE-121" - } - ] - } - ] - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "jxpath", - "product": { - "product_data": [ - { - "product_name": "jxpath", - "version": { - "version_data": [ - { - "version_value": "unspecified", - "version_affected": "=" - } - ] - } - } - ] - } - } - ] - } - }, - "references": { - "reference_data": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47097", - "refsource": "MISC", - "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47097" - } - ] - }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, - "source": { - "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/41xxx/CVE-2022-41852.json b/2022/41xxx/CVE-2022-41852.json index c07e6a96dd5..0ede2b3623c 100644 --- a/2022/41xxx/CVE-2022-41852.json +++ b/2022/41xxx/CVE-2022-41852.json @@ -1,70 +1,18 @@ { - "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", + "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-41852", - "ASSIGNER": "security@apache.org", - "STATE": "PUBLIC" + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", - "cweId": "CWE-470" - } - ] - } - ] - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "jxpath", - "product": { - "product_data": [ - { - "product_name": "jxpath", - "version": { - "version_data": [ - { - "version_value": "unspecified", - "version_affected": "=" - } - ] - } - } - ] - } - } - ] - } - }, - "references": { - "reference_data": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133", - "refsource": "MISC", - "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133" - } - ] - }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, - "source": { - "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/4xxx/CVE-2022-4104.json b/2022/4xxx/CVE-2022-4104.json new file mode 100644 index 00000000000..c0bf0c34d11 --- /dev/null +++ b/2022/4xxx/CVE-2022-4104.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-4104", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file