diff --git a/2017/2xxx/CVE-2017-2600.json b/2017/2xxx/CVE-2017-2600.json index c574ab2c947..3df8439b618 100644 --- a/2017/2xxx/CVE-2017-2600.json +++ b/2017/2xxx/CVE-2017-2600.json @@ -1,72 +1,85 @@ { - "impact": { - "cvss": [ - [ - { - "vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - "version": "3.0" - } + "CVE_data_meta" : { + "ASSIGNER" : "lpardo@redhat.com", + "ID" : "CVE-2017-2600", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "jenkins 2.44" + }, + { + "version_value" : "jenkins 2.32.2" + } + ] + } + } + ] + }, + "vendor_name" : "[UNKNOWN]" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343)." + } + ] + }, + "impact" : { + "cvss" : [ + [ + { + "vectorString" : "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version" : "3.0" + } + ] + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-325" + } ] - ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343)." - } - ] - }, - "data_type": "CVE", - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "version": { - "version_data": [ - { - "version_value": "jenkins 2.44" - }, - { - "version_value": "jenkins 2.32.2" - } - ] - }, - "product_name": "jenkins" - } - ] - }, - "vendor_name": "[UNKNOWN]" - } - ] - } - }, - "data_format": "MITRE", - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-325" - } - ] - } - ] - }, - "data_version": "4.0", - "references": { - "reference_data": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600" - } - ] - }, - "CVE_data_meta": { - "ID": "CVE-2017-2600", - "ASSIGNER": "lpardo@redhat.com" - } + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600", + "refsource" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600" + }, + { + "name" : "https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899", + "refsource" : "CONFIRM", + "url" : "https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899" + }, + { + "name" : "https://jenkins.io/security/advisory/2017-02-01/", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2017-02-01/" + } + ] + } } diff --git a/2017/2xxx/CVE-2017-2608.json b/2017/2xxx/CVE-2017-2608.json index 033e4a76450..2b35bec00f8 100644 --- a/2017/2xxx/CVE-2017-2608.json +++ b/2017/2xxx/CVE-2017-2608.json @@ -1,72 +1,85 @@ { - "impact": { - "cvss": [ - [ - { - "vectorString": "8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" - } + "CVE_data_meta" : { + "ASSIGNER" : "lpardo@redhat.com", + "ID" : "CVE-2017-2608", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "jenkins 2.44" + }, + { + "version_value" : "jenkins 2.32.2" + } + ] + } + } + ] + }, + "vendor_name" : "[UNKNOWN]" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383)." + } + ] + }, + "impact" : { + "cvss" : [ + [ + { + "vectorString" : "8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version" : "3.0" + } + ] + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-502" + } ] - ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383)" - } - ] - }, - "data_type": "CVE", - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "version": { - "version_data": [ - { - "version_value": "jenkins 2.44" - }, - { - "version_value": "jenkins 2.32.2" - } - ] - }, - "product_name": "jenkins" - } - ] - }, - "vendor_name": "[UNKNOWN]" - } - ] - } - }, - "data_format": "MITRE", - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-502" - } - ] - } - ] - }, - "data_version": "4.0", - "references": { - "reference_data": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608" - } - ] - }, - "CVE_data_meta": { - "ID": "CVE-2017-2608", - "ASSIGNER": "lpardo@redhat.com" - } + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608", + "refsource" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608" + }, + { + "name" : "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722", + "refsource" : "CONFIRM", + "url" : "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722" + }, + { + "name" : "https://jenkins.io/security/advisory/2017-02-01/", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2017-02-01/" + } + ] + } } diff --git a/2017/2xxx/CVE-2017-2612.json b/2017/2xxx/CVE-2017-2612.json index 92af0be0b2e..1612f9f12cd 100644 --- a/2017/2xxx/CVE-2017-2612.json +++ b/2017/2xxx/CVE-2017-2612.json @@ -1,72 +1,85 @@ { - "impact": { - "cvss": [ - [ - { - "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", - "version": "3.0" - } + "CVE_data_meta" : { + "ASSIGNER" : "lpardo@redhat.com", + "ID" : "CVE-2017-2612", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "jenkins 2.44" + }, + { + "version_value" : "jenkins 2.32.2" + } + ] + } + } + ] + }, + "vendor_name" : "[UNKNOWN]" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK." + } + ] + }, + "impact" : { + "cvss" : [ + [ + { + "vectorString" : "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "version" : "3.0" + } + ] + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-358" + } ] - ] - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "In jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK" - } - ] - }, - "data_type": "CVE", - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "version": { - "version_data": [ - { - "version_value": "jenkins 2.44" - }, - { - "version_value": "jenkins 2.32.2" - } - ] - }, - "product_name": "jenkins" - } - ] - }, - "vendor_name": "[UNKNOWN]" - } - ] - } - }, - "data_format": "MITRE", - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-358" - } - ] - } - ] - }, - "data_version": "4.0", - "references": { - "reference_data": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612" - } - ] - }, - "CVE_data_meta": { - "ID": "CVE-2017-2612", - "ASSIGNER": "lpardo@redhat.com" - } + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612", + "refsource" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612" + }, + { + "name" : "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722", + "refsource" : "CONFIRM", + "url" : "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722" + }, + { + "name" : "https://jenkins.io/security/advisory/2017-02-01/", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2017-02-01/" + } + ] + } } diff --git a/2018/11xxx/CVE-2018-11131.json b/2018/11xxx/CVE-2018-11131.json new file mode 100644 index 00000000000..153080a43df --- /dev/null +++ b/2018/11xxx/CVE-2018-11131.json @@ -0,0 +1,18 @@ +{ + "CVE_data_meta" : { + "ASSIGNER" : "cve@mitre.org", + "ID" : "CVE-2018-11131", + "STATE" : "RESERVED" + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} diff --git a/2018/1xxx/CVE-2018-1262.json b/2018/1xxx/CVE-2018-1262.json index e0c0dc9d8cc..9156b8e806b 100644 --- a/2018/1xxx/CVE-2018-1262.json +++ b/2018/1xxx/CVE-2018-1262.json @@ -1,7 +1,7 @@ { "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "DATE_PUBLIC" : "2018-05-09T00:00:00", + "ASSIGNER" : "security_alert@emc.com", + "DATE_PUBLIC" : "2018-05-09T00:00:00", "ID" : "CVE-2018-1262", "STATE" : "PUBLIC" }, @@ -35,7 +35,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation." + "value" : "Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation." } ] }, @@ -54,6 +54,8 @@ "references" : { "reference_data" : [ { + "name" : "https://www.cloudfoundry.org/blog/cve-2018-1262/", + "refsource" : "CONFIRM", "url" : "https://www.cloudfoundry.org/blog/cve-2018-1262/" } ] diff --git a/2018/1xxx/CVE-2018-1263.json b/2018/1xxx/CVE-2018-1263.json index 9d5da03658e..76c2fa09bfd 100644 --- a/2018/1xxx/CVE-2018-1263.json +++ b/2018/1xxx/CVE-2018-1263.json @@ -1,7 +1,7 @@ { "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "DATE_PUBLIC" : "2018-05-09T00:00:00", + "ASSIGNER" : "security_alert@emc.com", + "DATE_PUBLIC" : "2018-05-09T00:00:00", "ID" : "CVE-2018-1263", "STATE" : "PUBLIC" }, @@ -35,7 +35,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Addresses partial fix in CVE-2018-1261. spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder." + "value" : "Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder." } ] }, @@ -54,6 +54,8 @@ "references" : { "reference_data" : [ { + "name" : "https://pivotal.io/security/cve-2018-1263", + "refsource" : "CONFIRM", "url" : "https://pivotal.io/security/cve-2018-1263" } ]