Auto-merge PR#5213

2025-08-04 08:44:25 +00:00 · 2022-04-19 15:45:19 -04:00 · 2022-04-19 15:45:19 -04:00 · 14aecf1ca5
commit 14aecf1ca5
parent a4fd08273d 0975586b2d
1 changed files with 77 additions and 7 deletions
--- a/2022/24xxx/CVE-2022-24825.json
+++ b/2022/24xxx/CVE-2022-24825.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24825",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Smokescreen SSRF via deny list bypass"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "smokescreen",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 0.0.3"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "stripe"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or later."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 5.8,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "LOW",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "NONE",
+            "scope": "CHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-918: Server-Side Request Forgery (SSRF)"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/stripe/smokescreen/security/advisories/GHSA-gcj7-j438-hjj2",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/stripe/smokescreen/security/advisories/GHSA-gcj7-j438-hjj2"
+            },
+            {
+                "name": "https://github.com/stripe/smokescreen",
+                "refsource": "MISC",
+                "url": "https://github.com/stripe/smokescreen"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-gcj7-j438-hjj2",
+        "discovery": "UNKNOWN"
    }
-}
+}