From 2ecfbaff6bed6f10fe136fb9dbc9f4f877a6483a Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 13 Jun 2024 00:00:38 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/1xxx/CVE-2024-1495.json | 105 +++++++++++++++++++++++++++++++++-- 2024/1xxx/CVE-2024-1736.json | 105 +++++++++++++++++++++++++++++++++-- 2024/1xxx/CVE-2024-1963.json | 105 +++++++++++++++++++++++++++++++++-- 2024/4xxx/CVE-2024-4201.json | 105 +++++++++++++++++++++++++++++++++-- 2024/5xxx/CVE-2024-5942.json | 18 ++++++ 2024/5xxx/CVE-2024-5943.json | 18 ++++++ 2024/5xxx/CVE-2024-5944.json | 18 ++++++ 7 files changed, 458 insertions(+), 16 deletions(-) create mode 100644 2024/5xxx/CVE-2024-5942.json create mode 100644 2024/5xxx/CVE-2024-5943.json create mode 100644 2024/5xxx/CVE-2024-5944.json diff --git a/2024/1xxx/CVE-2024-1495.json b/2024/1xxx/CVE-2024-1495.json index af166a46240..34344515fa5 100644 --- a/2024/1xxx/CVE-2024-1495.json +++ b/2024/1xxx/CVE-2024-1495.json @@ -1,17 +1,114 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1495", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "13.1", + "version_value": "16.10.7" + }, + { + "version_affected": "<", + "version_name": "16.11", + "version_value": "16.11.4" + }, + { + "version_affected": "<", + "version_name": "17.0", + "version_value": "17.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/441807", + "refsource": "MISC", + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/441807" + }, + { + "url": "https://hackerone.com/reports/2359528", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2359528" + }, + { + "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker", + "refsource": "MISC", + "name": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade to versions 16.10.7, 16.11.4, 17.0.2 or above." + } + ], + "credits": [ + { + "lang": "en", + "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/1xxx/CVE-2024-1736.json b/2024/1xxx/CVE-2024-1736.json index 305139efdad..ff65de2f10e 100644 --- a/2024/1xxx/CVE-2024-1736.json +++ b/2024/1xxx/CVE-2024-1736.json @@ -1,17 +1,114 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1736", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "15.8", + "version_value": "16.10.7" + }, + { + "version_affected": "<", + "version_name": "16.11", + "version_value": "16.11.4" + }, + { + "version_affected": "<", + "version_name": "17.0", + "version_value": "17.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/442695", + "refsource": "MISC", + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/442695" + }, + { + "url": "https://hackerone.com/reports/2358689", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2358689" + }, + { + "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass", + "refsource": "MISC", + "name": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade to versions 16.10.7, 16.11.4, 17.0.2 or above." + } + ], + "credits": [ + { + "lang": "en", + "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/1xxx/CVE-2024-1963.json b/2024/1xxx/CVE-2024-1963.json index 5824f6bfd1c..62e321b81d8 100644 --- a/2024/1xxx/CVE-2024-1963.json +++ b/2024/1xxx/CVE-2024-1963.json @@ -1,17 +1,114 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1963", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "8.4", + "version_value": "16.10.7" + }, + { + "version_affected": "<", + "version_name": "16.11", + "version_value": "16.11.4" + }, + { + "version_affected": "<", + "version_name": "17.0", + "version_value": "17.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443577", + "refsource": "MISC", + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/443577" + }, + { + "url": "https://hackerone.com/reports/2376482", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2376482" + }, + { + "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called", + "refsource": "MISC", + "name": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade to versions 16.10.7, 16.11.4, 17.0.2 or above." + } + ], + "credits": [ + { + "lang": "en", + "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/4xxx/CVE-2024-4201.json b/2024/4xxx/CVE-2024-4201.json index d6711503bed..fc15a2024be 100644 --- a/2024/4xxx/CVE-2024-4201.json +++ b/2024/4xxx/CVE-2024-4201.json @@ -1,17 +1,114 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-4201", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "5.1", + "version_value": "16.10.7" + }, + { + "version_affected": "<", + "version_name": "16.11", + "version_value": "16.11.4" + }, + { + "version_affected": "<", + "version_name": "17.0", + "version_value": "17.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458229", + "refsource": "MISC", + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/458229" + }, + { + "url": "https://hackerone.com/reports/2473886", + "refsource": "MISC", + "name": "https://hackerone.com/reports/2473886" + }, + { + "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices", + "refsource": "MISC", + "name": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade to versions 16.10.7, 16.11.4, 17.0.2 or above." + } + ], + "credits": [ + { + "lang": "en", + "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/5xxx/CVE-2024-5942.json b/2024/5xxx/CVE-2024-5942.json new file mode 100644 index 00000000000..70c8d4a7b1b --- /dev/null +++ b/2024/5xxx/CVE-2024-5942.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-5942", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/5xxx/CVE-2024-5943.json b/2024/5xxx/CVE-2024-5943.json new file mode 100644 index 00000000000..a3d178c55a3 --- /dev/null +++ b/2024/5xxx/CVE-2024-5943.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-5943", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/5xxx/CVE-2024-5944.json b/2024/5xxx/CVE-2024-5944.json new file mode 100644 index 00000000000..2a288ded81b --- /dev/null +++ b/2024/5xxx/CVE-2024-5944.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-5944", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file