From 3f4945062deee745f09a916f7725a5b957f50959 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 9 Jul 2020 18:01:25 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/13xxx/CVE-2020-13131.json | 75 +++++++++++++++++++++++++++++++--- 2020/13xxx/CVE-2020-13132.json | 75 +++++++++++++++++++++++++++++++--- 2020/14xxx/CVE-2020-14170.json | 62 +++++++++++++++++++++++++--- 2020/14xxx/CVE-2020-14171.json | 62 +++++++++++++++++++++++++--- 2020/15xxx/CVE-2020-15000.json | 59 +++++++++++++++++++++++--- 5 files changed, 303 insertions(+), 30 deletions(-) diff --git a/2020/13xxx/CVE-2020-13131.json b/2020/13xxx/CVE-2020-13131.json index 8db19e5c046..21b55394b74 100644 --- a/2020/13xxx/CVE-2020-13131.json +++ b/2020/13xxx/CVE-2020-13131.json @@ -1,18 +1,81 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-13131", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-13131", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in Yubico libykpiv before 2.1.0. lib/util.c in this library (which is included in yubico-piv-tool) does not properly check embedded length fields during device communication. A malicious PIV token can misreport the returned length fields during RSA key generation. This will cause stack memory to be copied into heap allocated memory that gets returned to the caller. The leaked memory could include PINs, passwords, key material, and other sensitive information depending on the integration. During further processing by the caller, this information could leak across trust boundaries. Note that RSA key generation is triggered by the host and cannot directly be triggered by the token." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://blog.inhq.net/posts/yubico-libykpiv-vuln/", + "url": "https://blog.inhq.net/posts/yubico-libykpiv-vuln/" + }, + { + "refsource": "CONFIRM", + "name": "https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/", + "url": "https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/" + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "PHYSICAL", + "availabilityImpact": "NONE", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AC:L/AV:P/A:N/C:H/I:N/PR:N/S:U/UI:R", + "version": "3.0" + } } } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13132.json b/2020/13xxx/CVE-2020-13132.json index 6e50f0d4589..f97d255bb54 100644 --- a/2020/13xxx/CVE-2020-13132.json +++ b/2020/13xxx/CVE-2020-13132.json @@ -1,18 +1,81 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-13132", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-13132", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in Yubico libykpiv before 2.1.0. An attacker can trigger an incorrect free() in the ykpiv_util_generate_key() function in lib/util.c through incorrect error handling code. This could be used to cause a denial of service attack." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://blog.inhq.net/posts/yubico-libykpiv-vuln/", + "url": "https://blog.inhq.net/posts/yubico-libykpiv-vuln/" + }, + { + "refsource": "CONFIRM", + "name": "https://www.yubico.com/support/security-advisories/ysa-2020-02/", + "url": "https://www.yubico.com/support/security-advisories/ysa-2020-02/" + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "PHYSICAL", + "availabilityImpact": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AC:L/AV:P/A:H/C:N/I:N/PR:N/S:U/UI:R", + "version": "3.0" + } } } \ No newline at end of file diff --git a/2020/14xxx/CVE-2020-14170.json b/2020/14xxx/CVE-2020-14170.json index 2fdb1c65888..1de21a6c839 100644 --- a/2020/14xxx/CVE-2020-14170.json +++ b/2020/14xxx/CVE-2020-14170.json @@ -1,17 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@atlassian.com", + "DATE_PUBLIC": "2020-07-09T00:00:00", "ID": "CVE-2020-14170", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Bitbucket Server", + "version": { + "version_data": [ + { + "version_value": "5.4.0", + "version_affected": ">=" + }, + { + "version_value": "7.3.1", + "version_affected": "<" + } + ] + } + } + ] + }, + "vendor_name": "Atlassian" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Server Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jira.atlassian.com/browse/BSERV-12433", + "refsource": "MISC", + "name": "https://jira.atlassian.com/browse/BSERV-12433" } ] } diff --git a/2020/14xxx/CVE-2020-14171.json b/2020/14xxx/CVE-2020-14171.json index b7d92c1d8ed..9efbfc53e6f 100644 --- a/2020/14xxx/CVE-2020-14171.json +++ b/2020/14xxx/CVE-2020-14171.json @@ -1,17 +1,67 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@atlassian.com", + "DATE_PUBLIC": "2020-07-09T00:00:00", "ID": "CVE-2020-14171", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Bitbucket Server", + "version": { + "version_data": [ + { + "version_value": "4.9.0", + "version_affected": ">=" + }, + { + "version_value": "7.2.4", + "version_affected": "<" + } + ] + } + } + ] + }, + "vendor_name": "Atlassian" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Man-in-the-Middle (MITM)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jira.atlassian.com/browse/BSERV-12434", + "refsource": "MISC", + "name": "https://jira.atlassian.com/browse/BSERV-12434" } ] } diff --git a/2020/15xxx/CVE-2020-15000.json b/2020/15xxx/CVE-2020-15000.json index 443e37f9e25..0cfd11d0c49 100644 --- a/2020/15xxx/CVE-2020-15000.json +++ b/2020/15xxx/CVE-2020-15000.json @@ -1,18 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-15000", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-15000", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://www.yubico.com/support/security-advisories/ysa-2020-05/", + "url": "https://www.yubico.com/support/security-advisories/ysa-2020-05/" + } + ] + }, + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file