diff --git a/2019/10xxx/CVE-2019-10086.json b/2019/10xxx/CVE-2019-10086.json index 73b8b864fd0..eba640c5add 100644 --- a/2019/10xxx/CVE-2019-10086.json +++ b/2019/10xxx/CVE-2019-10086.json @@ -268,6 +268,11 @@ "refsource": "MLIST", "name": "[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086", "url": "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086", + "url": "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E" } ] }, diff --git a/2019/18xxx/CVE-2019-18351.json b/2019/18xxx/CVE-2019-18351.json index c6e810fd5d2..2ea9ba1afce 100644 --- a/2019/18xxx/CVE-2019-18351.json +++ b/2019/18xxx/CVE-2019-18351.json @@ -1,66 +1,17 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2019-18351", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "n/a", - "version": { - "version_data": [ - { - "version_value": "n/a" - } - ] - } - } - ] - }, - "vendor_name": "n/a" - } - ] - } - }, - "data_format": "MITRE", "data_type": "CVE", + "data_format": "MITRE", "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2019-18351", + "ASSIGNER": "cve@mitre.org", + "STATE": "REJECT" + }, "description": { "description_data": [ { "lang": "eng", - "value": "An issue was discovered in channels/chan_sip.c in Sangoma Asterisk through 13.29.1, through 16.6.1, and through 17.0.0; and Certified Asterisk through 13.21-cert4. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport." - } - ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "n/a" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "url": "https://www.asterisk.org/downloads/security-advisories", - "refsource": "MISC", - "name": "https://www.asterisk.org/downloads/security-advisories" - }, - { - "refsource": "MISC", - "name": "http://downloads.asterisk.org/pub/security/AST-2019-006.html", - "url": "http://downloads.asterisk.org/pub/security/AST-2019-006.html" + "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-18790. Reason: This candidate is a duplicate of CVE-2019-18790. Notes: All CVE users should reference CVE-2019-18790 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2019/18xxx/CVE-2019-18790.json b/2019/18xxx/CVE-2019-18790.json index fc330150747..bef41e4f86b 100644 --- a/2019/18xxx/CVE-2019-18790.json +++ b/2019/18xxx/CVE-2019-18790.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x, 16.x, and 17.x, and Certified Asterisk 13.21, because of an incomplete fix for CVE-2019-18351. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport." + "value": "An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport." } ] }, diff --git a/2020/13xxx/CVE-2020-13529.json b/2020/13xxx/CVE-2020-13529.json index fa5c9bbc48d..70f721ddf8b 100644 --- a/2020/13xxx/CVE-2020-13529.json +++ b/2020/13xxx/CVE-2020-13529.json @@ -73,6 +73,11 @@ "refsource": "MLIST", "name": "[oss-security] 20210817 Re: Pop!_OS Membership to linux-distros list", "url": "http://www.openwall.com/lists/oss-security/2021/08/17/3" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20210907 Re: Pop!_OS Membership to linux-distros list", + "url": "http://www.openwall.com/lists/oss-security/2021/09/07/3" } ] }, diff --git a/2021/32xxx/CVE-2021-32782.json b/2021/32xxx/CVE-2021-32782.json index 127ec1691e9..a9c4a1f849a 100644 --- a/2021/32xxx/CVE-2021-32782.json +++ b/2021/32xxx/CVE-2021-32782.json @@ -41,7 +41,7 @@ "description_data": [ { "lang": "eng", - "value": "Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.\n" + "value": "Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly." } ] }, diff --git a/2021/33xxx/CVE-2021-33910.json b/2021/33xxx/CVE-2021-33910.json index ea68dc34282..fdc8902575f 100644 --- a/2021/33xxx/CVE-2021-33910.json +++ b/2021/33xxx/CVE-2021-33910.json @@ -121,6 +121,11 @@ "refsource": "MLIST", "name": "[oss-security] 20210817 Re: Pop!_OS Membership to linux-distros list", "url": "http://www.openwall.com/lists/oss-security/2021/08/17/3" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20210907 Re: Pop!_OS Membership to linux-distros list", + "url": "http://www.openwall.com/lists/oss-security/2021/09/07/3" } ] } diff --git a/2021/37xxx/CVE-2021-37628.json b/2021/37xxx/CVE-2021-37628.json index 99896a1492a..2326f25ae3e 100644 --- a/2021/37xxx/CVE-2021-37628.json +++ b/2021/37xxx/CVE-2021-37628.json @@ -38,7 +38,7 @@ "description_data": [ { "lang": "eng", - "value": " Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features (\"Upload Only\" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application.\n" + "value": "Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features (\"Upload Only\" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application." } ] }, diff --git a/2021/37xxx/CVE-2021-37629.json b/2021/37xxx/CVE-2021-37629.json index 23ca032a50e..c2ea43005de 100644 --- a/2021/37xxx/CVE-2021-37629.json +++ b/2021/37xxx/CVE-2021-37629.json @@ -38,7 +38,7 @@ "description_data": [ { "lang": "eng", - "value": " Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud Richdocuments app is upgraded to either 3.8.4 or 4.2.1 to resolve. For users unable to upgrade it is recommended that the Richdocuments application be disabled.\n" + "value": "Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud Richdocuments app is upgraded to either 3.8.4 or 4.2.1 to resolve. For users unable to upgrade it is recommended that the Richdocuments application be disabled." } ] }, diff --git a/2021/39xxx/CVE-2021-39500.json b/2021/39xxx/CVE-2021-39500.json index af1282d8915..ff2bcb3323b 100644 --- a/2021/39xxx/CVE-2021-39500.json +++ b/2021/39xxx/CVE-2021-39500.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-39500", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-39500", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject \"../\" to escape and write file to writeable directories." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4", + "refsource": "MISC", + "name": "https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4" + }, + { + "refsource": "MISC", + "name": "https://github.com/KietNA-HPT/CVE", + "url": "https://github.com/KietNA-HPT/CVE" } ] } diff --git a/2021/39xxx/CVE-2021-39501.json b/2021/39xxx/CVE-2021-39501.json index 99313fb93bd..dfde1fd2c31 100644 --- a/2021/39xxx/CVE-2021-39501.json +++ b/2021/39xxx/CVE-2021-39501.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-39501", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-39501", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "EyouCMS 1.5.4 is vulnerable to Open Redirect. An attacker can redirect a user to a malicious url via the Logout function." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/eyoucms/eyoucms/issues/17", + "refsource": "MISC", + "name": "https://github.com/eyoucms/eyoucms/issues/17" + }, + { + "refsource": "MISC", + "name": "https://github.com/KietNA-HPT/CVE", + "url": "https://github.com/KietNA-HPT/CVE" } ] }