diff --git a/2024/11xxx/CVE-2024-11034.json b/2024/11xxx/CVE-2024-11034.json new file mode 100644 index 00000000000..3da17839d12 --- /dev/null +++ b/2024/11xxx/CVE-2024-11034.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11034", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11035.json b/2024/11xxx/CVE-2024-11035.json new file mode 100644 index 00000000000..b3ffaaa5de1 --- /dev/null +++ b/2024/11xxx/CVE-2024-11035.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11035", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11036.json b/2024/11xxx/CVE-2024-11036.json new file mode 100644 index 00000000000..8d97644cae8 --- /dev/null +++ b/2024/11xxx/CVE-2024-11036.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11036", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11037.json b/2024/11xxx/CVE-2024-11037.json new file mode 100644 index 00000000000..3c20bb6c560 --- /dev/null +++ b/2024/11xxx/CVE-2024-11037.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11037", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11038.json b/2024/11xxx/CVE-2024-11038.json new file mode 100644 index 00000000000..de490b2919f --- /dev/null +++ b/2024/11xxx/CVE-2024-11038.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11038", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/11xxx/CVE-2024-11039.json b/2024/11xxx/CVE-2024-11039.json new file mode 100644 index 00000000000..ea45c4023b4 --- /dev/null +++ b/2024/11xxx/CVE-2024-11039.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-11039", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/35xxx/CVE-2024-35421.json b/2024/35xxx/CVE-2024-35421.json index afc06065f74..1d970f0535c 100644 --- a/2024/35xxx/CVE-2024-35421.json +++ b/2024/35xxx/CVE-2024-35421.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-35421", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-35421", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "vmir e8117 was discovered to contain a segmentation violation via the wasm_parse_block function at /src/vmir_wasm_parser.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/andoma/vmir/issues/22", + "refsource": "MISC", + "name": "https://github.com/andoma/vmir/issues/22" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/haruki3hhh/318c4e35531f9e3b01df51016ac5c12b", + "url": "https://gist.github.com/haruki3hhh/318c4e35531f9e3b01df51016ac5c12b" } ] } diff --git a/2024/35xxx/CVE-2024-35422.json b/2024/35xxx/CVE-2024-35422.json index 10c0de7866b..81971346da5 100644 --- a/2024/35xxx/CVE-2024-35422.json +++ b/2024/35xxx/CVE-2024-35422.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-35422", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-35422", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "vmir e8117 was discovered to contain a heap buffer overflow via the wasm_call function at /src/vmir_wasm_parser.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/andoma/vmir/issues/23", + "refsource": "MISC", + "name": "https://github.com/andoma/vmir/issues/23" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/haruki3hhh/21f9ad538db2a98e651cfe34ba4176f3", + "url": "https://gist.github.com/haruki3hhh/21f9ad538db2a98e651cfe34ba4176f3" } ] } diff --git a/2024/35xxx/CVE-2024-35425.json b/2024/35xxx/CVE-2024-35425.json index 8a6c08d62e5..b7c7ef89218 100644 --- a/2024/35xxx/CVE-2024-35425.json +++ b/2024/35xxx/CVE-2024-35425.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-35425", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-35425", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "vmir e8117 was discovered to contain a segmentation violation via the function_prepare_parse function at /src/vmir_function.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/andoma/vmir/issues/19", + "refsource": "MISC", + "name": "https://github.com/andoma/vmir/issues/19" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/haruki3hhh/c64ff6431c71be1b08e15d4ff480ce6b", + "url": "https://gist.github.com/haruki3hhh/c64ff6431c71be1b08e15d4ff480ce6b" } ] } diff --git a/2024/35xxx/CVE-2024-35426.json b/2024/35xxx/CVE-2024-35426.json index f70af4475c4..9d5499212ca 100644 --- a/2024/35xxx/CVE-2024-35426.json +++ b/2024/35xxx/CVE-2024-35426.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-35426", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-35426", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "vmir e8117 was discovered to contain a stack overflow via the init_local_vars function at /src/vmir_wasm_parser.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/andoma/vmir/issues/24", + "refsource": "MISC", + "name": "https://github.com/andoma/vmir/issues/24" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/haruki3hhh/9d2a5a139a8b72517009953d0ba7338c", + "url": "https://gist.github.com/haruki3hhh/9d2a5a139a8b72517009953d0ba7338c" } ] } diff --git a/2024/35xxx/CVE-2024-35427.json b/2024/35xxx/CVE-2024-35427.json index 78c9fa211b3..668b15115c7 100644 --- a/2024/35xxx/CVE-2024-35427.json +++ b/2024/35xxx/CVE-2024-35427.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2024-35427", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2024-35427", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "vmir e8117 was discovered to contain a segmentation violation via the export_function function at /src/vmir_wasm_parser.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/andoma/vmir/issues/20", + "refsource": "MISC", + "name": "https://github.com/andoma/vmir/issues/20" + }, + { + "refsource": "MISC", + "name": "https://gist.github.com/haruki3hhh/1edba199c52039791bbcb33a5196c1c3", + "url": "https://gist.github.com/haruki3hhh/1edba199c52039791bbcb33a5196c1c3" } ] } diff --git a/2024/52xxx/CVE-2024-52000.json b/2024/52xxx/CVE-2024-52000.json index c4936a4f7cb..d6671bd3fbe 100644 --- a/2024/52xxx/CVE-2024-52000.json +++ b/2024/52xxx/CVE-2024-52000.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52000", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Combodo", + "product": { + "product_data": [ + { + "product_name": "iTop", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 3.2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg", + "refsource": "MISC", + "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg" + } + ] + }, + "source": { + "advisory": "GHSA-r58g-p5r9-8hfg", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.0" } ] } diff --git a/2024/52xxx/CVE-2024-52001.json b/2024/52xxx/CVE-2024-52001.json index cebe67281a7..d90d23db99f 100644 --- a/2024/52xxx/CVE-2024-52001.json +++ b/2024/52xxx/CVE-2024-52001.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52001", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Combodo", + "product": { + "product_data": [ + { + "product_name": "iTop", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 3.2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34", + "refsource": "MISC", + "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34" + } + ] + }, + "source": { + "advisory": "GHSA-9p26-v3wj-6q34", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.0" } ] } diff --git a/2024/52xxx/CVE-2024-52002.json b/2024/52xxx/CVE-2024-52002.json index be72a4a8a6d..3c9d3de7cf5 100644 --- a/2024/52xxx/CVE-2024-52002.json +++ b/2024/52xxx/CVE-2024-52002.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52002", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Combodo", + "product": { + "product_data": [ + { + "product_name": "iTop", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 3.2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm", + "refsource": "MISC", + "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm" + } + ] + }, + "source": { + "advisory": "GHSA-xr4x-xq7v-7gqm", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", + "version": "3.0" } ] } diff --git a/2024/52xxx/CVE-2024-52004.json b/2024/52xxx/CVE-2024-52004.json index 611f6c8d88b..765a9f00b5b 100644 --- a/2024/52xxx/CVE-2024-52004.json +++ b/2024/52xxx/CVE-2024-52004.json @@ -1,18 +1,73 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52004", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are susceptible, and users are highly recommended to upgrade.\u00a0The vulnerabilities are related with insufficient input validation while uploading media content. The condition to exploit the vulnerability is that the portal allows users to upload content. This issue has been patched in version 4.1.0. There are no known workarounds for this vulnerability." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "cweId": "CWE-74" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "mediacms-io", + "product": { + "product_data": [ + { + "product_name": "mediacms", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 4.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/mediacms-io/mediacms/security/advisories/GHSA-x3p4-4442-q2c3", + "refsource": "MISC", + "name": "https://github.com/mediacms-io/mediacms/security/advisories/GHSA-x3p4-4442-q2c3" + }, + { + "url": "https://github.com/mediacms-io/mediacms/blob/main/docs/admins_docs.md", + "refsource": "MISC", + "name": "https://github.com/mediacms-io/mediacms/blob/main/docs/admins_docs.md" + } + ] + }, + "source": { + "advisory": "GHSA-x3p4-4442-q2c3", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2024/52xxx/CVE-2024-52007.json b/2024/52xxx/CVE-2024-52007.json index c0f0a107971..d7e1cde7fc7 100644 --- a/2024/52xxx/CVE-2024-52007.json +++ b/2024/52xxx/CVE-2024-52007.json @@ -1,17 +1,110 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52007", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference", + "cweId": "CWE-611" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "hapifhir", + "product": { + "product_data": [ + { + "product_name": "org.hl7.fhir.core", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 6.4.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh", + "refsource": "MISC", + "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh" + }, + { + "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", + "refsource": "MISC", + "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf" + }, + { + "url": "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571", + "refsource": "MISC", + "name": "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571" + }, + { + "url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717", + "refsource": "MISC", + "name": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717" + }, + { + "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j", + "refsource": "MISC", + "name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j" + }, + { + "url": "https://cwe.mitre.org/data/definitions/611.html", + "refsource": "MISC", + "name": "https://cwe.mitre.org/data/definitions/611.html" + } + ] + }, + "source": { + "advisory": "GHSA-gr3c-q7xf-47vh", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/52xxx/CVE-2024-52009.json b/2024/52xxx/CVE-2024-52009.json index ea9424b6b8a..e77d511bef8 100644 --- a/2024/52xxx/CVE-2024-52009.json +++ b/2024/52xxx/CVE-2024-52009.json @@ -1,18 +1,88 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-52009", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-532: Insertion of Sensitive Information into Log File", + "cweId": "CWE-532" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "runatlantis", + "product": { + "product_data": [ + { + "product_name": "atlantis", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 0.30.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp", + "refsource": "MISC", + "name": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp" + }, + { + "url": "https://github.com/runatlantis/atlantis/issues/4060", + "refsource": "MISC", + "name": "https://github.com/runatlantis/atlantis/issues/4060" + }, + { + "url": "https://github.com/runatlantis/atlantis/pull/4667", + "refsource": "MISC", + "name": "https://github.com/runatlantis/atlantis/pull/4667" + }, + { + "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security", + "refsource": "MISC", + "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security" + }, + { + "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0", + "refsource": "MISC", + "name": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0" + } + ] + }, + "source": { + "advisory": "GHSA-gppm-hq3p-h4rp", + "discovery": "UNKNOWN" } } \ No newline at end of file