admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-07 21:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Synchronized data.

Browse Source
This commit is contained in:
CVE Team 2019-03-07 14:04:37 -05:00
parent 951239d017
commit 4709817276
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
10 changed files with 999 additions and 730 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
2019/1xxx/CVE-2019-1596.json
View File

@ -1,132 +1,132 @@
{
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-03-06T16:00:00-0800",
"ID": "CVE-2019-1596",
"STATE": "PUBLIC",
"TITLE": "Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nexus 3000 Series Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(4)"
}
]
}
},
{
"product_name": "Nexus 3500 Platform Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(4)"
}
]
}
},
{
"product_name": "Nexus 3600 Platform Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)F3(5)"
}
]
}
},
{
"product_name": "Nexus 9000 Series Switches in Standalone NX-OS Mode",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(4)"
}
]
}
},
{
"product_name": "Nexus 9500 R-Series Line Cards and Fabric Modules",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)F3(5)"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
"CVE_data_meta" : {
"ASSIGNER" : "psirt@cisco.com",
"DATE_PUBLIC" : "2019-03-06T16:00:00-0800",
"ID" : "CVE-2019-1596",
"STATE" : "PUBLIC",
"TITLE" : "Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Nexus 3000 Series Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(4)"
}
]
}
},
{
"product_name" : "Nexus 3500 Platform Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(4)"
}
]
}
},
{
"product_name" : "Nexus 3600 Platform Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)F3(5)"
}
]
}
},
{
"product_name" : "Nexus 9000 Series Switches in Standalone NX-OS Mode",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(4)"
}
]
}
},
{
"product_name" : "Nexus 9500 R-Series Line Cards and Fabric Modules",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)F3(5)"
}
]
}
}
]
},
"vendor_name" : "Cisco"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level to root. The attacker must authenticate with valid user credentials. The vulnerability is due to incorrect permissions of a system executable. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the Bash prompt. A successful exploit could allow the attacker to escalate their privilege level to root. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5)."
}
]
},
"exploit" : [
{
"lang" : "eng",
"value" : "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
}
],
"impact" : {
"cvss" : {
"baseScore" : "7.8",
"vectorString" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ",
"version" : "3.0"
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-264"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level to root. The attacker must authenticate with valid user credentials. The vulnerability is due to incorrect permissions of a system executable. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the Bash prompt. A successful exploit could allow the attacker to escalate their privilege level to root. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5)."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
}
],
"impact": {
"cvss": {
"baseScore": "7.8",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20190306 Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-pe"
}
]
},
"source": {
"advisory": "cisco-sa-20190306-nxos-pe",
"defect": [
[
"CSCvj58962",
"CSCvk71078"
]
],
"discovery": "INTERNAL"
}
}
]
},
"references" : {
"reference_data" : [
{
"name" : "20190306 Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability",
"refsource" : "CISCO",
"url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-pe"
}
]
},
"source" : {
"advisory" : "cisco-sa-20190306-nxos-pe",
"defect" : [
[
"CSCvj58962",
"CSCvk71078"
]
],
"discovery" : "INTERNAL"
}
}

372
2019/1xxx/CVE-2019-1597.json
View File

@ -1,189 +1,189 @@
{
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-03-06T16:00:00-0800",
"ID": "CVE-2019-1597",
"STATE": "PUBLIC",
"TITLE": "Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firepower 4100 Series Next-Generation Firewalls",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "2.0.1.201"
},
{
"affected": "<",
"version_value": "2.2.2.54"
},
{
"affected": "<",
"version_value": "2.3.1.75"
}
]
}
},
{
"product_name": "Firepower 9300 Security Appliance",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "2.0.1.201"
},
{
"affected": "<",
"version_value": "2.2.2.54"
},
{
"affected": "<",
"version_value": "2.3.1.75"
}
]
}
},
{
"product_name": "MDS 9000 Series Multilayer Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "8.2(1)"
}
]
}
},
{
"product_name": "Nexus 3000 Series Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(1)"
}
]
}
},
{
"product_name": "Nexus 3500 Platform Switches ",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(2)"
}
]
}
},
{
"product_name": "Nexus 7000 and 7700 Series Switches",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "8.2(1)"
}
]
}
},
{
"product_name": "Nexus 9000 Series Switches in Standalone NX-OS Mode",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "7.0(3)I7(1)"
}
]
}
},
{
"product_name": "Cisco UCS 6200 and 6300 Fabric Interconnect",
"version": {
"version_data": [
{
"affected": "<",
"version_value": "3.2(2b)"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
"CVE_data_meta" : {
"ASSIGNER" : "psirt@cisco.com",
"DATE_PUBLIC" : "2019-03-06T16:00:00-0800",
"ID" : "CVE-2019-1597",
"STATE" : "PUBLIC",
"TITLE" : "Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service Vulnerabilities"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Firepower 4100 Series Next-Generation Firewalls",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "2.0.1.201"
},
{
"affected" : "<",
"version_value" : "2.2.2.54"
},
{
"affected" : "<",
"version_value" : "2.3.1.75"
}
]
}
},
{
"product_name" : "Firepower 9300 Security Appliance",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "2.0.1.201"
},
{
"affected" : "<",
"version_value" : "2.2.2.54"
},
{
"affected" : "<",
"version_value" : "2.3.1.75"
}
]
}
},
{
"product_name" : "MDS 9000 Series Multilayer Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "8.2(1)"
}
]
}
},
{
"product_name" : "Nexus 3000 Series Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(1)"
}
]
}
},
{
"product_name" : "Nexus 3500 Platform Switches ",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(2)"
}
]
}
},
{
"product_name" : "Nexus 7000 and 7700 Series Switches",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "8.2(1)"
}
]
}
},
{
"product_name" : "Nexus 9000 Series Switches in Standalone NX-OS Mode",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "7.0(3)I7(1)"
}
]
}
},
{
"product_name" : "Cisco UCS 6200 and 6300 Fabric Interconnect",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_value" : "3.2(2b)"
}
]
}
}
]
},
"vendor_name" : "Cisco"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device. The LDAP packet must have a source IP address of an LDAP server configured on the targeted device. A successful exploit could cause the affected device to reload, resulting in a DoS condition. Firepower 4100 Series Next-Generation Firewalls are affected in versions prior to 2.0.1.201, 2.2.2.54, and 2.3.1.75. Firepower 9300 Security Appliances are affected in versions prior to 2.0.1.201, 2.2.2.54 and 2.3.1.75. MDS 9000 Series Multilayer Switches are affected in versions prior to 8.2(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(1). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(2). Nexus 7000 and 7700 Series Switches are affected in versions prior to 8.2(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(1). Cisco UCS 6200 and 6300 Fabric Interconnect devices are affected in versions prior to 3.2(2b)."
}
]
},
"exploit" : [
{
"lang" : "eng",
"value" : "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. "
}
],
"impact" : {
"cvss" : {
"baseScore" : "8.6",
"vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ",
"version" : "3.0"
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-20"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device. The LDAP packet must have a source IP address of an LDAP server configured on the targeted device. A successful exploit could cause the affected device to reload, resulting in a DoS condition. Firepower 4100 Series Next-Generation Firewalls are affected in versions prior to 2.0.1.201, 2.2.2.54, and 2.3.1.75. Firepower 9300 Security Appliances are affected in versions prior to 2.0.1.201, 2.2.2.54 and 2.3.1.75. MDS 9000 Series Multilayer Switches are affected in versions prior to 8.2(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(1). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(2). Nexus 7000 and 7700 Series Switches are affected in versions prior to 8.2(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(1). Cisco UCS 6200 and 6300 Fabric Interconnect devices are affected in versions prior to 3.2(2b)."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. "
}
],
"impact": {
"cvss": {
"baseScore": "8.6",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20190306 Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxosldap"
}
]
},
"source": {
"advisory": "cisco-sa-20190306-nxosldap",
"defect": [
[
"CSCvd40241",
"CSCvd57308",
"CSCve02855",
"CSCve02858",
"CSCve02865",
"CSCve02867",
"CSCve02871",
"CSCve57816",
"CSCve57820",
"CSCve58224"
]
],
"discovery": "INTERNAL"
}
}
]
},
"references" : {
"reference_data" : [
{
"name" : "20190306 Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service Vulnerabilities",
"refsource" : "CISCO",
"url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxosldap"
}
]
},
"source" : {
"advisory" : "cisco-sa-20190306-nxosldap",
"defect" : [
[
"CSCvd40241",
"CSCvd57308",
"CSCve02855",
"CSCve02858",
"CSCve02865",
"CSCve02867",
"CSCve02871",
"CSCve57816",
"CSCve57820",
"CSCve58224"
]
],
"discovery" : "INTERNAL"
}
}

117
2019/3xxx/CVE-2019-3712.json
View File

@ -1,100 +1,101 @@
{
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-02-28T17:00:00.000Z",
"ID": "CVE-2019-3712",
"STATE": "PUBLIC",
"TITLE": "DSA-2019-039: Dell Wyse Device Agent Buffer Overflow Vulnerability"
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-28T17:00:00.000Z",
"ID" : "CVE-2019-3712",
"STATE" : "PUBLIC",
"TITLE" : "DSA-2019-039: Dell Wyse Device Agent Buffer Overflow Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product": {
"product_data": [
"product" : {
"product_data" : [
{
"product_name": "Wyse Device Agent",
"version": {
"version_data": [
"product_name" : "Wyse Device Agent",
"version" : {
"version_data" : [
{
"affected": "<=",
"version_value": "14.1.2.9"
"affected" : "<=",
"version_value" : "14.1.2.9"
}
]
}
},
{
"product_name": "Wyse ThinLinux HAgent",
"version": {
"version_data": [
"product_name" : "Wyse ThinLinux HAgent",
"version" : {
"version_data" : [
{
"affected": "<=",
"version_value": "5.4.55 00.10"
"affected" : "<=",
"version_value" : "5.4.55 00.10"
}
]
}
}
]
},
"vendor_name": "Dell"
"vendor_name" : "Dell"
}
]
}
},
"credit": [
"credit" : [
{
"lang": "eng",
"value": "Dell would like to thank Jason Larsen of IOActive for reporting this vulnerability."
"lang" : "eng",
"value" : "Dell would like to thank Jason Larsen of IOActive for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang": "eng",
"value": "Dell WES Wyse Device Agent versions prior to 14.1.2.9 and Dell Wyse ThinLinux HAgent versions prior to 5.4.55 00.10 contain a buffer overflow vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to execute arbitrary code on the system with privileges of the FTP client by sending specially crafted input data to the affected system. The FTP code that contained the vulnerability has been removed."
"lang" : "eng",
"value" : "Dell WES Wyse Device Agent versions prior to 14.1.2.9 and Dell Wyse ThinLinux HAgent versions prior to 5.4.55 00.10 contain a buffer overflow vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to execute arbitrary code on the system with privileges of the FTP client by sending specially crafted input data to the affected system. The FTP code that contained the vulnerability has been removed."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "ADJACENT_NETWORK",
"availabilityImpact" : "LOW",
"baseScore" : 8.2,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "NONE",
"scope" : "CHANGED",
"userInteraction" : "NONE",
"vectorString" : "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version" : "3.0"
}
},
"problemtype": {
"problemtype_data": [
"problemtype" : {
"problemtype_data" : [
{
"description": [
"description" : [
{
"lang": "eng",
"value": "buffer overflow vulnerability"
"lang" : "eng",
"value" : "buffer overflow vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
"references" : {
"reference_data" : [
{
"refsource": "CONFIRM",
"url": "https://www.dell.com/support/article/us/en/19/sln316391"
"name" : "https://www.dell.com/support/article/us/en/19/sln316391",
"refsource" : "MISC",
"url" : "https://www.dell.com/support/article/us/en/19/sln316391"
}
]
},
"source": {
"discovery": "UNKNOWN"
"source" : {
"discovery" : "UNKNOWN"
}
}
}

159
2019/3xxx/CVE-2019-3775.json
View File

@ -1,84 +1,85 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-02-26T00:00:00.000Z",
"ID": "CVE-2019-3775",
"STATE": "PUBLIC",
"TITLE": "UAA allows users to modify their own email address"
},
"source": {
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UAA Release (OSS)",
"version": {
"version_data": [
{
"affected": "<",
"version_name": "All",
"version_value": "v70.0"
}
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-26T00:00:00.000Z",
"ID" : "CVE-2019-3775",
"STATE" : "PUBLIC",
"TITLE" : "UAA allows users to modify their own email address"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "UAA Release (OSS)",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "All",
"version_value" : "v70.0"
}
]
}
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
},
"vendor_name" : "Cloud Foundry"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user."
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user."
},
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "NETWORK",
"availabilityImpact" : "NONE",
"baseScore" : 7.1,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "LOW",
"integrityImpact" : "HIGH",
"privilegesRequired" : "LOW",
"scope" : "CHANGED",
"userInteraction" : "NONE",
"vectorString" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version" : "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3775"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.0"
}
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.cloudfoundry.org/blog/cve-2019-3775",
"refsource" : "CONFIRM",
"url" : "https://www.cloudfoundry.org/blog/cve-2019-3775"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

101
2019/3xxx/CVE-2019-3776.json
View File

@ -1 +1,100 @@
{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2019-02-20T00:00:00.000Z","ID":"CVE-2019-3776","STATE":"PUBLIC","TITLE":"Reflected XSS in Pivotal Operations Manager "},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Pivotal Ops Manager","version":{"version_data":[{"affected":"<","version_name":"2.2","version_value":"2.2.16"},{"affected":"<","version_name":"2.3","version_value":"2.3.10"},{"affected":"<","version_name":"2.4","version_value":"2.4.3"},{"affected":"<","version_name":"2.1","version_value":"2.1.19"}]}}]},"vendor_name":"Pivotal"}]}},"description":{"description_data":[{"lang":"eng","value":"Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Cross-site Scripting (XSS) - Reflected"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2019-3776"}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L","version":"3.0"}}}
{
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-20T00:00:00.000Z",
"ID" : "CVE-2019-3776",
"STATE" : "PUBLIC",
"TITLE" : "Reflected XSS in Pivotal Operations Manager "
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Pivotal Ops Manager",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "2.2",
"version_value" : "2.2.16"
},
{
"affected" : "<",
"version_name" : "2.3",
"version_value" : "2.3.10"
},
{
"affected" : "<",
"version_name" : "2.4",
"version_value" : "2.4.3"
},
{
"affected" : "<",
"version_name" : "2.1",
"version_value" : "2.1.19"
}
]
}
}
]
},
"vendor_name" : "Pivotal"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser."
}
]
},
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "NETWORK",
"availabilityImpact" : "LOW",
"baseScore" : 7.2,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "LOW",
"integrityImpact" : "HIGH",
"privilegesRequired" : "HIGH",
"scope" : "CHANGED",
"userInteraction" : "NONE",
"vectorString" : "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L",
"version" : "3.0"
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-79: Cross-site Scripting (XSS) - Reflected"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://pivotal.io/security/cve-2019-3776",
"refsource" : "CONFIRM",
"url" : "https://pivotal.io/security/cve-2019-3776"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

226
2019/3xxx/CVE-2019-3777.json
View File

@ -1,117 +1,117 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-02-26T23:47:49.000Z",
"ID": "CVE-2019-3777",
"STATE": "PUBLIC",
"TITLE": "Apps Manager unverified SSL certs in Cloud Controller proxy"
},
"source": {
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apps Manager",
"version": {
"version_data": [
{
"affected": "<",
"version_name": "666",
"version_value": "666.0.19"
},
{
"affected": "<",
"version_name": "665",
"version_value": "665.0.26"
},
{
"affected": "<",
"version_name": "667",
"version_value": "667.0.5"
}
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-26T23:47:49.000Z",
"ID" : "CVE-2019-3777",
"STATE" : "PUBLIC",
"TITLE" : "Apps Manager unverified SSL certs in Cloud Controller proxy"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Apps Manager",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "666",
"version_value" : "666.0.19"
},
{
"affected" : "<",
"version_name" : "665",
"version_value" : "665.0.26"
},
{
"affected" : "<",
"version_name" : "667",
"version_value" : "667.0.5"
}
]
}
},
{
"product_name" : "Pivotal Application Service",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "2.4",
"version_value" : "2.4.3"
},
{
"affected" : "<",
"version_name" : "2.3",
"version_value" : "2.3.7"
},
{
"affected" : "<",
"version_name" : "2.2",
"version_value" : "2.2.12"
}
]
}
}
]
}
},
{
"product_name": "Pivotal Application Service",
"version": {
"version_data": [
{
"affected": "<",
"version_name": "2.4",
"version_value": "2.4.3"
},
{
"affected": "<",
"version_name": "2.3",
"version_value": "2.3.7"
},
{
"affected": "<",
"version_name": "2.2",
"version_value": "2.2.12"
}
]
}
}
]
},
"vendor_name": "Pivotal"
}
},
"vendor_name" : "Pivotal"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller"
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller"
},
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "NETWORK",
"availabilityImpact" : "NONE",
"baseScore" : 8,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "NONE",
"scope" : "CHANGED",
"userInteraction" : "REQUIRED",
"vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version" : "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3777",
"name": "https://pivotal.io/security/cve-2019-3777"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://pivotal.io/security/cve-2019-3777",
"refsource" : "CONFIRM",
"url" : "https://pivotal.io/security/cve-2019-3777"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

86
2019/3xxx/CVE-2019-3778.json
View File

@ -1 +1,85 @@
{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2019-02-21T00:00:00.000Z","ID":"CVE-2019-3778","STATE":"PUBLIC","TITLE":"Open Redirect in spring-security-oauth2"},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spring Security OAuth","version":{"version_data":[{"affected":"<","version_name":"2.3","version_value":"2.3.5.RELEASE"},{"affected":"<","version_name":"2.0","version_value":"2.0.17.RELEASE"},{"affected":"<","version_name":"2.1","version_value":"2.1.4.RELEASE"},{"affected":"<","version_name":"2.2","version_value":"2.2.4.RELEASE"}]}}]},"vendor_name":"Spring"}]}},"description":{"description_data":[{"lang":"eng","value":"Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.\n\nThis vulnerability exposes applications that meet all of the following requirements:\n\n Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)\n Uses the DefaultRedirectResolver in the AuthorizationEndpoint\n\nThis vulnerability does not expose applications that:\n\n Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver\n Act in the role of a Resource Server only (e.g. @EnableResourceServer)\n Act in the role of a Client only (e.g. @EnableOAuthClient)"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-601: Open Redirect"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2019-3778"}]},"impact":null}
{
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-21T00:00:00.000Z",
"ID" : "CVE-2019-3778",
"STATE" : "PUBLIC",
"TITLE" : "Open Redirect in spring-security-oauth2"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Spring Security OAuth",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "2.3",
"version_value" : "2.3.5.RELEASE"
},
{
"affected" : "<",
"version_name" : "2.0",
"version_value" : "2.0.17.RELEASE"
},
{
"affected" : "<",
"version_name" : "2.1",
"version_value" : "2.1.4.RELEASE"
},
{
"affected" : "<",
"version_name" : "2.2",
"version_value" : "2.2.4.RELEASE"
}
]
}
}
]
},
"vendor_name" : "Spring"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient)."
}
]
},
"impact" : null,
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-601: Open Redirect"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://pivotal.io/security/cve-2019-3778",
"refsource" : "CONFIRM",
"url" : "https://pivotal.io/security/cve-2019-3778"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

86
2019/3xxx/CVE-2019-3781.json
View File

@ -1 +1,85 @@
{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2019-02-25T00:00:00.000Z","ID":"CVE-2019-3781","STATE":"PUBLIC","TITLE":"CF CLI does not sanitize user's password in verbose/trace/debug"},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"CF CLI","version":{"version_data":[{"affected":"<","version_name":"All","version_value":"v6.43.0"}]}}]},"vendor_name":"Cloud Foundry"}]}},"description":{"description_data":[{"lang":"eng","value":"Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-215: Information Exposure Through Debug Information"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://www.cloudfoundry.org/blog/cve-2019-3781","url":"https://www.cloudfoundry.org/blog/cve-2019-3781"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","version":"3.0"}}}
{
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-25T00:00:00.000Z",
"ID" : "CVE-2019-3781",
"STATE" : "PUBLIC",
"TITLE" : "CF CLI does not sanitize user's password in verbose/trace/debug"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "CF CLI",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "All",
"version_value" : "v6.43.0"
}
]
}
}
]
},
"vendor_name" : "Cloud Foundry"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password."
}
]
},
"impact" : {
"cvss" : {
"attackComplexity" : "LOW",
"attackVector" : "LOCAL",
"availabilityImpact" : "NONE",
"baseScore" : 8.2,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "NONE",
"scope" : "CHANGED",
"userInteraction" : "REQUIRED",
"vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version" : "3.0"
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-215: Information Exposure Through Debug Information"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.cloudfoundry.org/blog/cve-2019-3781",
"refsource" : "CONFIRM",
"url" : "https://www.cloudfoundry.org/blog/cve-2019-3781"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

162
2019/3xxx/CVE-2019-3783.json
View File

@ -1,85 +1,85 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-02-19T17:15:39.000Z",
"ID": "CVE-2019-3783",
"STATE": "PUBLIC",
"TITLE": "Cloud Foundry Stratos Deploys With Public Default Session Store Secret"
},
"source": {
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Stratos",
"version": {
"version_data": [
{
"affected": "<",
"version_name": "All",
"version_value": "2.3.0"
}
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-19T17:15:39.000Z",
"ID" : "CVE-2019-3783",
"STATE" : "PUBLIC",
"TITLE" : "Cloud Foundry Stratos Deploys With Public Default Session Store Secret"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Stratos",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "All",
"version_value" : "2.3.0"
}
]
}
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
},
"vendor_name" : "Cloud Foundry"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user."
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user."
},
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "NETWORK",
"availabilityImpact" : "NONE",
"baseScore" : 8.7,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "NONE",
"scope" : "CHANGED",
"userInteraction" : "NONE",
"vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version" : "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-384: Session Fixation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3783",
"name": "https://www.cloudfoundry.org/blog/cve-2019-3783"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-384: Session Fixation"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.cloudfoundry.org/blog/cve-2019-3783",
"refsource" : "CONFIRM",
"url" : "https://www.cloudfoundry.org/blog/cve-2019-3783"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}

162
2019/3xxx/CVE-2019-3784.json
View File

@ -1,85 +1,85 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-02-19T17:15:40.000Z",
"ID": "CVE-2019-3784",
"STATE": "PUBLIC",
"TITLE": "Cloud Foundry Stratos contains a Session Collision Vulnerability"
},
"source": {
"discovery": "UNKNOWN"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Stratos",
"version": {
"version_data": [
{
"affected": "<",
"version_name": "All",
"version_value": "2.3.0"
}
"CVE_data_meta" : {
"ASSIGNER" : "secure@dell.com",
"DATE_PUBLIC" : "2019-02-19T17:15:40.000Z",
"ID" : "CVE-2019-3784",
"STATE" : "PUBLIC",
"TITLE" : "Cloud Foundry Stratos contains a Session Collision Vulnerability"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "Stratos",
"version" : {
"version_data" : [
{
"affected" : "<",
"version_name" : "All",
"version_value" : "2.3.0"
}
]
}
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
},
"vendor_name" : "Cloud Foundry"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id."
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to the another user with the same session id.\n"
},
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH",
"attackVector" : "NETWORK",
"availabilityImpact" : "NONE",
"baseScore" : 8.2,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "LOW",
"scope" : "CHANGED",
"userInteraction" : "NONE",
"vectorString" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version" : "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-384: Session Fixation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3784",
"name": "https://www.cloudfoundry.org/blog/cve-2019-3784"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "CWE-384: Session Fixation"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.cloudfoundry.org/blog/cve-2019-3784",
"refsource" : "CONFIRM",
"url" : "https://www.cloudfoundry.org/blog/cve-2019-3784"
}
]
},
"source" : {
"discovery" : "UNKNOWN"
}
}