diff --git a/2018/3xxx/CVE-2018-3817.json b/2018/3xxx/CVE-2018-3817.json index 47bc026f33e..f799642d0cb 100644 --- a/2018/3xxx/CVE-2018-3817.json +++ b/2018/3xxx/CVE-2018-3817.json @@ -1,60 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3817", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "Logstash", - "version": { - "version_data": [ - { - "version_value": "Before 6.1.2 or 5.6.6" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3817", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-532: Information Exposure Through Log Files" + "product" : { + "product_data" : [ + { + "product_name" : "Logstash", + "version" : { + "version_data" : [ + { + "version_value" : "Before 6.1.2 or 5.6.6" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-532: Information Exposure Through Log Files" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information" - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763" + } ] - } + } } diff --git a/2018/3xxx/CVE-2018-3818.json b/2018/3xxx/CVE-2018-3818.json index 3b1651cbdde..90cd544af02 100644 --- a/2018/3xxx/CVE-2018-3818.json +++ b/2018/3xxx/CVE-2018-3818.json @@ -1,60 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3818", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "Kibana", - "version": { - "version_data": [ - { - "version_value": "5.1.1 to 6.1.2 and 5.6.6" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3818", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + "product" : { + "product_data" : [ + { + "product_name" : "Kibana", + "version" : { + "version_data" : [ + { + "version_value" : "5.1.1 to 6.1.2 and 5.6.6" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763" + } ] - } + } } diff --git a/2018/3xxx/CVE-2018-3819.json b/2018/3xxx/CVE-2018-3819.json index 4e805c3e9ab..2a96c346ee6 100644 --- a/2018/3xxx/CVE-2018-3819.json +++ b/2018/3xxx/CVE-2018-3819.json @@ -1,61 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3819", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "Kibana", - "version": { - "version_data": [ - { - "version_value": "All versions before 6.1.3 and 5.6.7" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3819", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + "product" : { + "product_data" : [ + { + "product_name" : "Kibana", + "version" : { + "version_data" : [ + { + "version_value" : "All versions before 6.1.3 and 5.6.7" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website." - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" + } ] - } + } } - diff --git a/2018/3xxx/CVE-2018-3820.json b/2018/3xxx/CVE-2018-3820.json index 6e5157414ac..b5008bab76e 100644 --- a/2018/3xxx/CVE-2018-3820.json +++ b/2018/3xxx/CVE-2018-3820.json @@ -1,60 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3820", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "Kibana", - "version": { - "version_data": [ - { - "version_value": "after 6.1.0 and before 6.1.3" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3820", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + "product" : { + "product_data" : [ + { + "product_name" : "Kibana", + "version" : { + "version_data" : [ + { + "version_value" : "after 6.1.0 and before 6.1.3" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" + } ] - } + } } diff --git a/2018/3xxx/CVE-2018-3821.json b/2018/3xxx/CVE-2018-3821.json index 96d616ef55a..ebb264c536d 100644 --- a/2018/3xxx/CVE-2018-3821.json +++ b/2018/3xxx/CVE-2018-3821.json @@ -1,60 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3821", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "Kibana", - "version": { - "version_data": [ - { - "version_value": "after 5.1.1 and before 5.6.7 and 6.1.3" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3821", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + "product" : { + "product_data" : [ + { + "product_name" : "Kibana", + "version" : { + "version_data" : [ + { + "version_value" : "after 5.1.1 and before 5.6.7 and 6.1.3" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users." - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-1-3-and-5-6-7-security-update/117683" + } ] - } + } } diff --git a/2018/3xxx/CVE-2018-3822.json b/2018/3xxx/CVE-2018-3822.json index 455a0e63061..1e6ed89c763 100644 --- a/2018/3xxx/CVE-2018-3822.json +++ b/2018/3xxx/CVE-2018-3822.json @@ -1,60 +1,60 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "bressers@elastic.co", - "ID": "CVE-2018-3822", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "Elastic", - "product": { - "product_data": [ - { - "product_name": "X-Pack Security", - "version": { - "version_data": [ - { - "version_value": "6.2.0, 6.2.1, and 6.2.2" - } - ] - } - } - ] - } - } - ] - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + "CVE_data_meta" : { + "ASSIGNER" : "bressers@elastic.co", + "ID" : "CVE-2018-3822", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "CWE-287: Improper Authentication" + "product" : { + "product_data" : [ + { + "product_name" : "X-Pack Security", + "version" : { + "version_data" : [ + { + "version_value" : "6.2.0, 6.2.1, and 6.2.2" + } + ] + } + } + ] + }, + "vendor_name" : "Elastic" } - ] - } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw." + } ] - }, - "references": { - "reference_data": [ - { - "url": "https://discuss.elastic.co/t/elastic-stack-6-2-3-security-update/124848" - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-287: Improper Authentication" + } + ] + } ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw." - } + }, + "references" : { + "reference_data" : [ + { + "url" : "https://discuss.elastic.co/t/elastic-stack-6-2-3-security-update/124848" + } ] - } + } } diff --git a/2018/9xxx/CVE-2018-9152.json b/2018/9xxx/CVE-2018-9152.json new file mode 100644 index 00000000000..612795227f8 --- /dev/null +++ b/2018/9xxx/CVE-2018-9152.json @@ -0,0 +1,18 @@ +{ + "CVE_data_meta" : { + "ASSIGNER" : "cve@mitre.org", + "ID" : "CVE-2018-9152", + "STATE" : "RESERVED" + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +}