"-Synchronized-Data."

This commit is contained in:
CVE Team 2021-06-08 18:01:00 +00:00
parent 23cd3b8aec
commit 4a1a23dce2
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
10 changed files with 334 additions and 31 deletions

View File

@ -48,6 +48,11 @@
"refsource": "MISC",
"name": "https://source.android.com/security/bulletin/pixel/2020-03-01",
"url": "https://source.android.com/security/bulletin/pixel/2020-03-01"
},
{
"refsource": "CONFIRM",
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00505.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00505.html"
}
]
},

View File

@ -1,17 +1,76 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-25817",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-25817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817])."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"name": "https://www.silverstripe.org/download/security-releases/",
"url": "https://www.silverstripe.org/download/security-releases/"
},
{
"url": "https://www.silverstripe.org/blog/tag/release",
"refsource": "MISC",
"name": "https://www.silverstripe.org/blog/tag/release"
},
{
"url": "https://forum.silverstripe.org/c/releases",
"refsource": "MISC",
"name": "https://forum.silverstripe.org/c/releases"
},
{
"refsource": "MISC",
"name": "https://www.silverstripe.org/download/security-releases/cve-2021-25817-xxe-vulnerability-in-css-contentparser",
"url": "https://www.silverstripe.org/download/security-releases/cve-2021-25817-xxe-vulnerability-in-css-contentparser"
}
]
}

View File

@ -1,18 +1,80 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-26138",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-26138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"name": "https://www.silverstripe.org/download/security-releases/",
"url": "https://www.silverstripe.org/download/security-releases/"
},
{
"url": "https://www.silverstripe.org/blog/tag/release",
"refsource": "MISC",
"name": "https://www.silverstripe.org/blog/tag/release"
},
{
"url": "https://forum.silverstripe.org/c/releases",
"refsource": "MISC",
"name": "https://forum.silverstripe.org/c/releases"
},
{
"refsource": "MISC",
"name": "https://www.silverstripe.org/download/security-releases/cve-2020-26138",
"url": "https://www.silverstripe.org/download/security-releases/cve-2020-26138"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}

View File

@ -66,6 +66,11 @@
"refsource": "FEDORA",
"name": "FEDORA-2021-a35b44fd9f",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/"
},
{
"refsource": "CONFIRM",
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html"
}
]
}

View File

@ -66,6 +66,16 @@
"refsource": "FEDORA",
"name": "FEDORA-2021-a35b44fd9f",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/"
},
{
"refsource": "CONFIRM",
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html"
},
{
"refsource": "CONFIRM",
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html"
}
]
}

View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-28293",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-28293",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Seceon aiSIEM before 6.3.2 (build 585) is prone to an unauthenticated account takeover vulnerability in the Forgot Password feature. The lack of correct configuration leads to recovery of the password reset link generated via the password reset functionality, and thus an unauthenticated attacker can set an arbitrary password for any user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "http://aisiem.com",
"refsource": "MISC",
"name": "http://aisiem.com"
},
{
"refsource": "MISC",
"name": "https://0xdb9.in/2021/06/07/cve-2021-28293.html",
"url": "https://0xdb9.in/2021/06/07/cve-2021-28293.html"
}
]
}

View File

@ -38,7 +38,7 @@
"description_data": [
{
"lang": "eng",
"value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.21 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\n"
"value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.21 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
}
]
},

View File

@ -72,6 +72,11 @@
"refsource": "MLIST",
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049@%3Cdev.apisix.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
]
},

View File

@ -1,17 +1,71 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-33203",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-33203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://groups.google.com/forum/#!forum/django-announce",
"refsource": "MISC",
"name": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/3.2/releases/security/",
"refsource": "MISC",
"name": "https://docs.djangoproject.com/en/3.2/releases/security/"
},
{
"refsource": "CONFIRM",
"name": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/",
"url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
}
]
}

View File

@ -1,17 +1,71 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-33571",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-33571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) ."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://docs.djangoproject.com/en/3.2/releases/security/",
"refsource": "MISC",
"name": "https://docs.djangoproject.com/en/3.2/releases/security/"
},
{
"refsource": "MISC",
"name": "https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo",
"url": "https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo"
},
{
"refsource": "CONFIRM",
"name": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/",
"url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
}
]
}