diff --git a/2022/41xxx/CVE-2022-41723.json b/2022/41xxx/CVE-2022-41723.json
index 1c2d2a8c38b..547627b0031 100644
--- a/2022/41xxx/CVE-2022-41723.json
+++ b/2022/41xxx/CVE-2022-41723.json
@@ -134,6 +134,11 @@
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/",
"refsource": "MISC",
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
+ },
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
}
]
},
diff --git a/2023/0xxx/CVE-2023-0001.json b/2023/0xxx/CVE-2023-0001.json
index 17291de2c75..e68152fb8cd 100644
--- a/2023/0xxx/CVE-2023-0001.json
+++ b/2023/0xxx/CVE-2023-0001.json
@@ -96,6 +96,11 @@
"url": "http://www.openwall.com/lists/oss-security/2023/11/08/3",
"refsource": "MISC",
"name": "http://www.openwall.com/lists/oss-security/2023/11/08/3"
+ },
+ {
+ "url": "http://www.openwall.com/lists/oss-security/2023/11/08/5",
+ "refsource": "MISC",
+ "name": "http://www.openwall.com/lists/oss-security/2023/11/08/5"
}
]
},
diff --git a/2023/21xxx/CVE-2023-21930.json b/2023/21xxx/CVE-2023-21930.json
index 4e17cff8fcc..4fd3681172e 100644
--- a/2023/21xxx/CVE-2023-21930.json
+++ b/2023/21xxx/CVE-2023-21930.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21937.json b/2023/21xxx/CVE-2023-21937.json
index 35a395506d0..ac08c872915 100644
--- a/2023/21xxx/CVE-2023-21937.json
+++ b/2023/21xxx/CVE-2023-21937.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21938.json b/2023/21xxx/CVE-2023-21938.json
index 7e0575177f5..58da5fc7e5e 100644
--- a/2023/21xxx/CVE-2023-21938.json
+++ b/2023/21xxx/CVE-2023-21938.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21939.json b/2023/21xxx/CVE-2023-21939.json
index 88e13d4e011..6f48aeaa9bf 100644
--- a/2023/21xxx/CVE-2023-21939.json
+++ b/2023/21xxx/CVE-2023-21939.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21954.json b/2023/21xxx/CVE-2023-21954.json
index 984615e56d1..5d68285179c 100644
--- a/2023/21xxx/CVE-2023-21954.json
+++ b/2023/21xxx/CVE-2023-21954.json
@@ -82,6 +82,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21967.json b/2023/21xxx/CVE-2023-21967.json
index 371bee02e69..aa703901a9c 100644
--- a/2023/21xxx/CVE-2023-21967.json
+++ b/2023/21xxx/CVE-2023-21967.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/21xxx/CVE-2023-21968.json b/2023/21xxx/CVE-2023-21968.json
index 21cf057bc99..42884fd1cd1 100644
--- a/2023/21xxx/CVE-2023-21968.json
+++ b/2023/21xxx/CVE-2023-21968.json
@@ -86,6 +86,11 @@
"refsource": "MISC",
"name": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0008/",
"refsource": "MISC",
diff --git a/2023/2xxx/CVE-2023-2033.json b/2023/2xxx/CVE-2023-2033.json
index 5eeda175160..4dbedb7a28c 100644
--- a/2023/2xxx/CVE-2023-2033.json
+++ b/2023/2xxx/CVE-2023-2033.json
@@ -64,6 +64,11 @@
"refsource": "MISC",
"name": "https://crbug.com/1432210"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://www.debian.org/security/2023/dsa-5390",
"refsource": "MISC",
diff --git a/2023/36xxx/CVE-2023-36667.json b/2023/36xxx/CVE-2023-36667.json
index e4c699301cb..7909a799dc6 100644
--- a/2023/36xxx/CVE-2023-36667.json
+++ b/2023/36xxx/CVE-2023-36667.json
@@ -1,17 +1,66 @@
{
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
- "ID": "CVE-2023-36667",
"ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ID": "CVE-2023-36667",
+ "STATE": "PUBLIC"
},
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://docs.couchbase.com/server/current/release-notes/relnotes.html",
+ "refsource": "MISC",
+ "name": "https://docs.couchbase.com/server/current/release-notes/relnotes.html"
+ },
+ {
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/",
+ "url": "https://www.couchbase.com/alerts/"
}
]
}
diff --git a/2023/38xxx/CVE-2023-38994.json b/2023/38xxx/CVE-2023-38994.json
index d914c76afd6..14dadf7eed1 100644
--- a/2023/38xxx/CVE-2023-38994.json
+++ b/2023/38xxx/CVE-2023-38994.json
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
- "value": "An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function."
+ "value": "The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users."
}
]
},
diff --git a/2023/3xxx/CVE-2023-3079.json b/2023/3xxx/CVE-2023-3079.json
index 61e0131e47d..22f3d99b22d 100644
--- a/2023/3xxx/CVE-2023-3079.json
+++ b/2023/3xxx/CVE-2023-3079.json
@@ -64,6 +64,11 @@
"refsource": "MISC",
"name": "https://crbug.com/1450481"
},
+ {
+ "url": "https://www.couchbase.com/alerts/",
+ "refsource": "MISC",
+ "name": "https://www.couchbase.com/alerts/"
+ },
{
"url": "https://www.debian.org/security/2023/dsa-5420",
"refsource": "MISC",
diff --git a/2023/45xxx/CVE-2023-45857.json b/2023/45xxx/CVE-2023-45857.json
index e3205ac4dfd..6d0eed5e112 100644
--- a/2023/45xxx/CVE-2023-45857.json
+++ b/2023/45xxx/CVE-2023-45857.json
@@ -1,17 +1,61 @@
{
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
- "ID": "CVE-2023-45857",
"ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ID": "CVE-2023-45857",
+ "STATE": "PUBLIC"
},
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "MISC",
+ "name": "https://github.com/axios/axios/issues/6006",
+ "url": "https://github.com/axios/axios/issues/6006"
}
]
}
diff --git a/2023/47xxx/CVE-2023-47109.json b/2023/47xxx/CVE-2023-47109.json
index aa10102438b..35da392b0a1 100644
--- a/2023/47xxx/CVE-2023-47109.json
+++ b/2023/47xxx/CVE-2023-47109.json
@@ -1,17 +1,100 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-47109",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security-advisories@github.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.\n"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-285: Improper Authorization",
+ "cweId": "CWE-285"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "PrestaShop",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "blockreassurance",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "<= 5.1.3"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc",
+ "refsource": "MISC",
+ "name": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc"
+ },
+ {
+ "url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa",
+ "refsource": "MISC",
+ "name": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa"
+ },
+ {
+ "url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823",
+ "refsource": "MISC",
+ "name": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823"
+ },
+ {
+ "url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4",
+ "refsource": "MISC",
+ "name": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-83j2-qhx2-p7jc",
+ "discovery": "UNKNOWN"
+ },
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 5.5,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "HIGH",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2023/47xxx/CVE-2023-47111.json b/2023/47xxx/CVE-2023-47111.json
index c8eaf6d88b7..441a6579cd9 100644
--- a/2023/47xxx/CVE-2023-47111.json
+++ b/2023/47xxx/CVE-2023-47111.json
@@ -1,17 +1,104 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-47111",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security-advisories@github.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.\n"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
+ "cweId": "CWE-362"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "zitadel",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "zitadel",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": ">= 2.39.0, < 2.40.5"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "< 2.38.3"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m",
+ "refsource": "MISC",
+ "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m"
+ },
+ {
+ "url": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077",
+ "refsource": "MISC",
+ "name": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077"
+ },
+ {
+ "url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3",
+ "refsource": "MISC",
+ "name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3"
+ },
+ {
+ "url": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5",
+ "refsource": "MISC",
+ "name": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-7h8m-vrxx-vr4m",
+ "discovery": "UNKNOWN"
+ },
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ "version": "3.1"
}
]
}
diff --git a/2023/47xxx/CVE-2023-47113.json b/2023/47xxx/CVE-2023-47113.json
index c1b2a0f0ee3..fe866a50f21 100644
--- a/2023/47xxx/CVE-2023-47113.json
+++ b/2023/47xxx/CVE-2023-47113.json
@@ -1,17 +1,85 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-47113",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security-advisories@github.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.4.2 is vulnerable to a DLL Hijacking vulnerability. By placing a DLL in the Folder c:\\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This issue has been patched in version 4.5.0.\n"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-427: Uncontrolled Search Path Element",
+ "cweId": "CWE-427"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "bleachbit",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "bleachbit",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "<= 4.4.2"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/bleachbit/bleachbit/security/advisories/GHSA-j8jc-f6p7-55p8",
+ "refsource": "MISC",
+ "name": "https://github.com/bleachbit/bleachbit/security/advisories/GHSA-j8jc-f6p7-55p8"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-j8jc-f6p7-55p8",
+ "discovery": "UNKNOWN"
+ },
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2023/47xxx/CVE-2023-47114.json b/2023/47xxx/CVE-2023-47114.json
index 7be5d9baa53..667e67993cd 100644
--- a/2023/47xxx/CVE-2023-47114.json
+++ b/2023/47xxx/CVE-2023-47114.json
@@ -1,17 +1,95 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-47114",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security-advisories@github.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "cweId": "CWE-79"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "ethyca",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "fides",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": ">= 2.15.1, < 2.23.3"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38",
+ "refsource": "MISC",
+ "name": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38"
+ },
+ {
+ "url": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1",
+ "refsource": "MISC",
+ "name": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1"
+ },
+ {
+ "url": "https://github.com/ethyca/fides/releases/tag/2.23.3",
+ "refsource": "MISC",
+ "name": "https://github.com/ethyca/fides/releases/tag/2.23.3"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-3vpf-mcj7-5h38",
+ "discovery": "UNKNOWN"
+ },
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "LOW",
+ "baseScore": 4.3,
+ "baseSeverity": "MEDIUM",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "HIGH",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
+ "version": "3.1"
}
]
}
diff --git a/2023/4xxx/CVE-2023-4632.json b/2023/4xxx/CVE-2023-4632.json
index 7ba9e47df45..cfd47b079fb 100644
--- a/2023/4xxx/CVE-2023-4632.json
+++ b/2023/4xxx/CVE-2023-4632.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-4632",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@lenovo.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-427 Uncontrolled Search Path Element",
+ "cweId": "CWE-427"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Lenovo",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Lenovo System Update",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "Versions prior to 5.08.02.25"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://support.lenovo.com/us/en/product_security/LEN-135367",
+ "refsource": "MISC",
+ "name": "https://support.lenovo.com/us/en/product_security/LEN-135367"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Update Lenovo System Update to version 5.08.02.25 or later as indicated in the advisory. https://support.lenovo.com/us/en/product_security/LEN-135367
"
+ }
+ ],
+ "value": "Update Lenovo System Update to version 5.08.02.25 or later as indicated in the advisory.\u00a0 https://support.lenovo.com/us/en/product_security/LEN-135367 \n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Lenovo thanks Matt Nelson, Hunter Orrantia and Max Harley of SpecterOps for reporting this issue. "
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.8,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2023/4xxx/CVE-2023-4706.json b/2023/4xxx/CVE-2023-4706.json
index 693dc731e06..073a28f800b 100644
--- a/2023/4xxx/CVE-2023-4706.json
+++ b/2023/4xxx/CVE-2023-4706.json
@@ -1,17 +1,106 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-4706",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@lenovo.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "\nA privilege escalation vulnerability was reported in Lenovo preloaded devices deployed using Microsoft AutoPilot under a standard user account due to incorrect default privileges.\n\n"
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-276 Incorrect Default Permissions",
+ "cweId": "CWE-276"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Lenovo",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "1Lenovo Preload Directory",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "Refer to Mitigation strategy section in LEN-127385"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://support.lenovo.com/us/en/product_security/LEN-127385",
+ "refsource": "MISC",
+ "name": "https://support.lenovo.com/us/en/product_security/LEN-127385"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Refer to Mitigation strategy section in the advisory: https://support.lenovo.com/us/en/product_security/LEN-127385
"
+ }
+ ],
+ "value": "Refer to Mitigation strategy section in the advisory:\u00a0 https://support.lenovo.com/us/en/product_security/LEN-127385 \n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Lenovo thanks Steven Pritchard for reporting this issue. "
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "LOCAL",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "LOW",
+ "scope": "UNCHANGED",
+ "userInteraction": "REQUIRED",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2023/6xxx/CVE-2023-6043.json b/2023/6xxx/CVE-2023-6043.json
new file mode 100644
index 00000000000..e6ccdd339b7
--- /dev/null
+++ b/2023/6xxx/CVE-2023-6043.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2023-6043",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2023/6xxx/CVE-2023-6044.json b/2023/6xxx/CVE-2023-6044.json
new file mode 100644
index 00000000000..a87f72e02d5
--- /dev/null
+++ b/2023/6xxx/CVE-2023-6044.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2023-6044",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file