From 17cfea04ec020da0ff509e1ee2157b52c27dddf3 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 19 Nov 2024 16:00:31 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/11xxx/CVE-2020-11001.json | 131 ++++++++++++++++--------------- 2020/11xxx/CVE-2020-11037.json | 138 ++++++++++++++++++++------------- 2024/11xxx/CVE-2024-11422.json | 18 +++++ 2024/11xxx/CVE-2024-11423.json | 18 +++++ 2024/11xxx/CVE-2024-11424.json | 18 +++++ 2024/11xxx/CVE-2024-11425.json | 18 +++++ 2024/11xxx/CVE-2024-11426.json | 18 +++++ 2024/11xxx/CVE-2024-11427.json | 18 +++++ 2024/11xxx/CVE-2024-11428.json | 18 +++++ 2024/11xxx/CVE-2024-11429.json | 18 +++++ 2024/11xxx/CVE-2024-11430.json | 18 +++++ 2024/11xxx/CVE-2024-11431.json | 18 +++++ 2024/11xxx/CVE-2024-11432.json | 18 +++++ 2024/11xxx/CVE-2024-11433.json | 18 +++++ 2024/11xxx/CVE-2024-11434.json | 18 +++++ 2024/52xxx/CVE-2024-52582.json | 86 +++++++++++++++++++- 16 files changed, 466 insertions(+), 123 deletions(-) create mode 100644 2024/11xxx/CVE-2024-11422.json create mode 100644 2024/11xxx/CVE-2024-11423.json create mode 100644 2024/11xxx/CVE-2024-11424.json create mode 100644 2024/11xxx/CVE-2024-11425.json create mode 100644 2024/11xxx/CVE-2024-11426.json create mode 100644 2024/11xxx/CVE-2024-11427.json create mode 100644 2024/11xxx/CVE-2024-11428.json create mode 100644 2024/11xxx/CVE-2024-11429.json create mode 100644 2024/11xxx/CVE-2024-11430.json create mode 100644 2024/11xxx/CVE-2024-11431.json create mode 100644 2024/11xxx/CVE-2024-11432.json create mode 100644 2024/11xxx/CVE-2024-11433.json create mode 100644 2024/11xxx/CVE-2024-11434.json diff --git a/2020/11xxx/CVE-2020-11001.json b/2020/11xxx/CVE-2020-11001.json index 41b78f3404e..ddbed52081c 100644 --- a/2020/11xxx/CVE-2020-11001.json +++ b/2020/11xxx/CVE-2020-11001.json @@ -1,96 +1,99 @@ { - "CVE_data_meta": { - "ASSIGNER": "security-advisories@github.com", - "ID": "CVE-2020-11001", - "STATE": "PUBLIC", - "TITLE": "Possible XSS attack in Wagtail" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "wagtail", - "version": { - "version_data": [ - { - "version_value": ">=1.9.0, < 2.7.2" - }, - { - "version_value": ">= 2.8.0, < 2.8.1" - } - ] - } - } - ] - }, - "vendor_name": "wagtail" - } - ] - } - }, - "data_format": "MITRE", - "data_type": "CVE", "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", + "CVE_data_meta": { + "ID": "CVE-2020-11001", + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" + }, "description": { "description_data": [ { "lang": "eng", - "value": "In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch)." + "value": "In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision\ncomparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail\nadmin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform\nactions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to\nthe Wagtail admin.\n\nPatched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch)." } ] }, - "impact": { - "cvss": { - "attackComplexity": "HIGH", - "attackVector": "NETWORK", - "availabilityImpact": "NONE", - "baseScore": 5.8, - "baseSeverity": "MEDIUM", - "confidentialityImpact": "HIGH", - "integrityImpact": "NONE", - "privilegesRequired": "LOW", - "scope": "CHANGED", - "userInteraction": "REQUIRED", - "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", - "version": "3.1" - } - }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", - "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" + "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", + "cweId": "CWE-80" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" } ] } ] }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wagtail", + "product": { + "product_data": [ + { + "product_name": "wagtail", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 2.7.2" + }, + { + "version_affected": "=", + "version_value": ">= 2.8.0, < 2.8.1" + } + ] + } + } + ] + } + } + ] + } + }, "references": { "reference_data": [ { - "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6", - "refsource": "CONFIRM", - "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6" - }, - { - "name": "https://github.com/wagtail/wagtail/releases/tag/v2.8.1", + "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6", "refsource": "MISC", - "url": "https://github.com/wagtail/wagtail/releases/tag/v2.8.1" - }, - { - "name": "https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389", - "refsource": "MISC", - "url": "https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389" + "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6" } ] }, "source": { "advisory": "GHSA-v2wc-pfq2-5cm6", "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", + "version": "3.1" + } + ] } } \ No newline at end of file diff --git a/2020/11xxx/CVE-2020-11037.json b/2020/11xxx/CVE-2020-11037.json index b9cca722462..d6fdc409ff5 100644 --- a/2020/11xxx/CVE-2020-11037.json +++ b/2020/11xxx/CVE-2020-11037.json @@ -1,86 +1,114 @@ { - "CVE_data_meta": { - "ASSIGNER": "security-advisories@github.com", - "ID": "CVE-2020-11037", - "STATE": "PUBLIC", - "TITLE": "Potential Observable Timing Discrepancy in Wagtail" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "Wagtail", - "version": { - "version_data": [ - { - "version_value": "< 2.7.2" - }, - { - "version_value": ">= 2.8, < 2.8.2" - } - ] - } - } - ] - }, - "vendor_name": "wagtail" - } - ] - } - }, - "data_format": "MITRE", - "data_type": "CVE", "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", + "CVE_data_meta": { + "ID": "CVE-2020-11037", + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" + }, "description": { "description_data": [ { "lang": "eng", - "value": "In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9." + "value": "In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).\n\nPrivacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.\n\nThis has been patched in 2.7.3, 2.8.2, 2.9." } ] }, - "impact": { - "cvss": { - "attackComplexity": "HIGH", - "attackVector": "LOCAL", - "availabilityImpact": "NONE", - "baseScore": 6.1, - "baseSeverity": "MEDIUM", - "confidentialityImpact": "HIGH", - "integrityImpact": "LOW", - "privilegesRequired": "HIGH", - "scope": "CHANGED", - "userInteraction": "NONE", - "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", - "version": "3.1" - } - }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", - "value": "CWE-208: Observable Timing Discrepancy" + "value": "CWE-208: Observable Timing Discrepancy", + "cweId": "CWE-208" } ] } ] }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "wagtail", + "product": { + "product_data": [ + { + "product_name": "Wagtail", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 2.7.3" + }, + { + "version_affected": "=", + "version_value": ">= 2.8rc1, < 2.8.2" + }, + { + "version_affected": "=", + "version_value": "= 2.9rc1" + } + ] + } + } + ] + } + } + ] + } + }, "references": { "reference_data": [ { - "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6", - "refsource": "CONFIRM", - "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6" + "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6", + "refsource": "MISC", + "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6" + }, + { + "url": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf", + "refsource": "MISC", + "name": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf" + }, + { + "url": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090", + "refsource": "MISC", + "name": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090" + }, + { + "url": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11", + "refsource": "MISC", + "name": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11" + }, + { + "url": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340", + "refsource": "MISC", + "name": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340" } ] }, "source": { "advisory": "GHSA-jjjr-3jcw-f8v6", "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", + "version": "3.1" + } + ] } } \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11422.json b/2024/11xxx/CVE-2024-11422.json new file mode 100644 index 00000000000..471b1f554ac --- /dev/null +++ b/2024/11xxx/CVE-2024-11422.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11422", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11423.json b/2024/11xxx/CVE-2024-11423.json new file mode 100644 index 00000000000..7b084554541 --- /dev/null +++ b/2024/11xxx/CVE-2024-11423.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11423", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11424.json b/2024/11xxx/CVE-2024-11424.json new file mode 100644 index 00000000000..35970d14dbc --- /dev/null +++ b/2024/11xxx/CVE-2024-11424.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11424", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11425.json b/2024/11xxx/CVE-2024-11425.json new file mode 100644 index 00000000000..1b79b5cca4d --- /dev/null +++ b/2024/11xxx/CVE-2024-11425.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11425", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11426.json b/2024/11xxx/CVE-2024-11426.json new file mode 100644 index 00000000000..ecaa011e086 --- /dev/null +++ b/2024/11xxx/CVE-2024-11426.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11426", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11427.json b/2024/11xxx/CVE-2024-11427.json new file mode 100644 index 00000000000..05b93fd5e4f --- /dev/null +++ b/2024/11xxx/CVE-2024-11427.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11427", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11428.json b/2024/11xxx/CVE-2024-11428.json new file mode 100644 index 00000000000..1c3353ba6a6 --- /dev/null +++ b/2024/11xxx/CVE-2024-11428.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11428", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11429.json b/2024/11xxx/CVE-2024-11429.json new file mode 100644 index 00000000000..c5a243f8995 --- /dev/null +++ b/2024/11xxx/CVE-2024-11429.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11429", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11430.json b/2024/11xxx/CVE-2024-11430.json new file mode 100644 index 00000000000..da086b27dbf --- /dev/null +++ b/2024/11xxx/CVE-2024-11430.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11430", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11431.json b/2024/11xxx/CVE-2024-11431.json new file mode 100644 index 00000000000..816fbb354ae --- /dev/null +++ b/2024/11xxx/CVE-2024-11431.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11431", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11432.json b/2024/11xxx/CVE-2024-11432.json new file mode 100644 index 00000000000..5e6af51475d --- /dev/null +++ b/2024/11xxx/CVE-2024-11432.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11432", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11433.json b/2024/11xxx/CVE-2024-11433.json new file mode 100644 index 00000000000..03d9c170f5e --- /dev/null +++ b/2024/11xxx/CVE-2024-11433.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11433", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11434.json b/2024/11xxx/CVE-2024-11434.json new file mode 100644 index 00000000000..b7ff5aeb288 --- /dev/null +++ b/2024/11xxx/CVE-2024-11434.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11434", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/52xxx/CVE-2024-52582.json b/2024/52xxx/CVE-2024-52582.json index 872763516a1..6bf091bc7bc 100644 --- a/2024/52xxx/CVE-2024-52582.json +++ b/2024/52xxx/CVE-2024-52582.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52582", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cachi2 is a command-line interface tool that pre-fetches a project's dependencies to aid in making the project's build process network-isolated. Prior to version 0.14.0, secrets may be shown in logs when an unhandled exception is triggered because the tool is logging locals of each function. This may uncover secrets if tool used in CI/build pipelines as it's the main use case. Version 0.14.0 contains a patch for the issue. No known workarounds are available." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere", + "cweId": "CWE-497" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "containerbuildsystem", + "product": { + "product_data": [ + { + "product_name": "cachi2", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 0.14.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/containerbuildsystem/cachi2/security/advisories/GHSA-w9qc-9m5h-qqmh", + "refsource": "MISC", + "name": "https://github.com/containerbuildsystem/cachi2/security/advisories/GHSA-w9qc-9m5h-qqmh" + }, + { + "url": "https://github.com/containerbuildsystem/cachi2/commit/d6638e5e14474061a1ab1ba5d0ee72f58b9a11a9", + "refsource": "MISC", + "name": "https://github.com/containerbuildsystem/cachi2/commit/d6638e5e14474061a1ab1ba5d0ee72f58b9a11a9" + }, + { + "url": "https://typer.tiangolo.com/tutorial/exceptions/?h=#disable-local-variables-for-security", + "refsource": "MISC", + "name": "https://typer.tiangolo.com/tutorial/exceptions/?h=#disable-local-variables-for-security" + } + ] + }, + "source": { + "advisory": "GHSA-w9qc-9m5h-qqmh", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" } ] }