From 257842daae009133774c5d46c8e3de8f845f01d4 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Mon, 3 Jul 2023 18:00:37 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/28xxx/CVE-2023-28121.json | 5 ++ 2023/36xxx/CVE-2023-36815.json | 76 ++++++++++++++++++++++++++++-- 2023/36xxx/CVE-2023-36817.json | 85 ++++++++++++++++++++++++++++++++-- 3 files changed, 158 insertions(+), 8 deletions(-) diff --git a/2023/28xxx/CVE-2023-28121.json b/2023/28xxx/CVE-2023-28121.json index 13c4fae46b0..25ca3c2b43c 100644 --- a/2023/28xxx/CVE-2023-28121.json +++ b/2023/28xxx/CVE-2023-28121.json @@ -48,6 +48,11 @@ "refsource": "MISC", "name": "https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/", "url": "https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/" + }, + { + "refsource": "MISC", + "name": "https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/", + "url": "https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/" } ] }, diff --git a/2023/36xxx/CVE-2023-36815.json b/2023/36xxx/CVE-2023-36815.json index 7747eb74e03..d6b0246c99a 100644 --- a/2023/36xxx/CVE-2023-36815.json +++ b/2023/36xxx/CVE-2023-36815.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-36815", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "labring", + "product": { + "product_data": [ + { + "product_name": "sealos", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "<= 4.2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w", + "refsource": "MISC", + "name": "https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w" + } + ] + }, + "source": { + "advisory": "GHSA-vpxf-q44g-w34w", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" } ] } diff --git a/2023/36xxx/CVE-2023-36817.json b/2023/36xxx/CVE-2023-36817.json index d84af793608..c80fd3d65d4 100644 --- a/2023/36xxx/CVE-2023-36817.json +++ b/2023/36xxx/CVE-2023-36817.json @@ -1,17 +1,94 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-36817", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "`tktchurch/website` contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized party gains access to this key, they could potentially carry out transactions on behalf of the organization, leading to financial losses. Additionally, they could access sensitive customer information, leading to privacy violations and potential legal implications. The affected component is the codebase of our project, specifically the file(s) where the Stripe API key is embedded. The key should have been stored securely, and not committed to the codebase. The maintainers plan to revoke the leaked Stripe API key immediately, generate a new one, and not commit the key to the codebase." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-798: Use of Hard-coded Credentials", + "cweId": "CWE-798" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "tktchurch", + "product": { + "product_data": [ + { + "product_name": "website", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "= 0.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/tktchurch/website/security/advisories/GHSA-x3m6-5hmf-5x3w", + "refsource": "MISC", + "name": "https://github.com/tktchurch/website/security/advisories/GHSA-x3m6-5hmf-5x3w" + } + ] + }, + "source": { + "advisory": "GHSA-x3m6-5hmf-5x3w", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] }