From 5865c569feb3dc5fc73070e30f8052bd8e093042 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Fri, 15 Sep 2023 21:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/21xxx/CVE-2020-21426.json | 5 ++ 2020/21xxx/CVE-2020-21427.json | 5 ++ 2020/21xxx/CVE-2020-21428.json | 5 ++ 2020/22xxx/CVE-2020-22524.json | 5 ++ 2021/41xxx/CVE-2021-41803.json | 5 ++ 2022/3xxx/CVE-2022-3064.json | 10 +++ 2022/3xxx/CVE-2022-3261.json | 99 +++++++++++++++++++++++++++-- 2022/40xxx/CVE-2022-40716.json | 5 ++ 2022/41xxx/CVE-2022-41717.json | 10 +++ 2023/0xxx/CVE-2023-0813.json | 112 +++++++++++++++++++++++++++++++-- 2023/0xxx/CVE-2023-0845.json | 5 ++ 2023/0xxx/CVE-2023-0923.json | 112 +++++++++++++++++++++++++++++++-- 2023/1xxx/CVE-2023-1576.json | 56 +---------------- 2023/25xxx/CVE-2023-25173.json | 5 ++ 2023/26xxx/CVE-2023-26054.json | 5 ++ 2023/28xxx/CVE-2023-28366.json | 5 ++ 2023/28xxx/CVE-2023-28840.json | 5 ++ 2023/28xxx/CVE-2023-28841.json | 5 ++ 2023/28xxx/CVE-2023-28842.json | 5 ++ 2023/33xxx/CVE-2023-33551.json | 5 ++ 2023/33xxx/CVE-2023-33552.json | 5 ++ 2023/36xxx/CVE-2023-36674.json | 5 ++ 2023/36xxx/CVE-2023-36675.json | 5 ++ 2023/40xxx/CVE-2023-40167.json | 2 +- 2023/40xxx/CVE-2023-40305.json | 5 ++ 2023/40xxx/CVE-2023-40587.json | 5 ++ 2023/41xxx/CVE-2023-41886.json | 81 ++++++++++++++++++++++-- 2023/41xxx/CVE-2023-41887.json | 81 ++++++++++++++++++++++-- 2023/41xxx/CVE-2023-41889.json | 86 +++++++++++++++++++++++-- 2023/41xxx/CVE-2023-41900.json | 94 +++++++++++++++++++++++++-- 2023/41xxx/CVE-2023-41901.json | 8 +-- 2023/42xxx/CVE-2023-42439.json | 76 ++++++++++++++++++++-- 2023/42xxx/CVE-2023-42442.json | 90 ++++++++++++++++++++++++-- 2023/5xxx/CVE-2023-5004.json | 18 ++++++ 2023/5xxx/CVE-2023-5005.json | 18 ++++++ 35 files changed, 953 insertions(+), 95 deletions(-) create mode 100644 2023/5xxx/CVE-2023-5004.json create mode 100644 2023/5xxx/CVE-2023-5005.json diff --git a/2020/21xxx/CVE-2020-21426.json b/2020/21xxx/CVE-2020-21426.json index d65b92ced12..c5ea0d70805 100644 --- a/2020/21xxx/CVE-2020-21426.json +++ b/2020/21xxx/CVE-2020-21426.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-a8b26b910d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUEK2JOVJBQZVNQIIZZO3JFMTVB4R5KS/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-2840932fa8", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UGOMCRAANNCQYJYPPMGRQWKRZGIP6NME/" } ] } diff --git a/2020/21xxx/CVE-2020-21427.json b/2020/21xxx/CVE-2020-21427.json index a679f1b7a5e..46acc78d0ab 100644 --- a/2020/21xxx/CVE-2020-21427.json +++ b/2020/21xxx/CVE-2020-21427.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-a8b26b910d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUEK2JOVJBQZVNQIIZZO3JFMTVB4R5KS/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-2840932fa8", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UGOMCRAANNCQYJYPPMGRQWKRZGIP6NME/" } ] } diff --git a/2020/21xxx/CVE-2020-21428.json b/2020/21xxx/CVE-2020-21428.json index bc4f42c52d3..41f7f181ac2 100644 --- a/2020/21xxx/CVE-2020-21428.json +++ b/2020/21xxx/CVE-2020-21428.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-a8b26b910d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUEK2JOVJBQZVNQIIZZO3JFMTVB4R5KS/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-2840932fa8", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UGOMCRAANNCQYJYPPMGRQWKRZGIP6NME/" } ] } diff --git a/2020/22xxx/CVE-2020-22524.json b/2020/22xxx/CVE-2020-22524.json index 273206e0de4..cb1aec1f102 100644 --- a/2020/22xxx/CVE-2020-22524.json +++ b/2020/22xxx/CVE-2020-22524.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-a8b26b910d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUEK2JOVJBQZVNQIIZZO3JFMTVB4R5KS/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-2840932fa8", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UGOMCRAANNCQYJYPPMGRQWKRZGIP6NME/" } ] } diff --git a/2021/41xxx/CVE-2021-41803.json b/2021/41xxx/CVE-2021-41803.json index a5efde80335..6f8bbaf351f 100644 --- a/2021/41xxx/CVE-2021-41803.json +++ b/2021/41xxx/CVE-2021-41803.json @@ -71,6 +71,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-cf3551046d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-b9c1d0e4c5", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] } diff --git a/2022/3xxx/CVE-2022-3064.json b/2022/3xxx/CVE-2022-3064.json index 9f76af5249d..f3c4c25db10 100644 --- a/2022/3xxx/CVE-2022-3064.json +++ b/2022/3xxx/CVE-2022-3064.json @@ -93,6 +93,16 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/" } ] } diff --git a/2022/3xxx/CVE-2022-3261.json b/2022/3xxx/CVE-2022-3261.json index 34762355dc4..c48e4bd6c64 100644 --- a/2022/3xxx/CVE-2022-3261.json +++ b/2022/3xxx/CVE-2022-3261.json @@ -1,17 +1,108 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-3261", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Plaintext Storage of a Password", + "cweId": "CWE-256" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "openstack", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + }, + { + "vendor_name": "Red Hat", + "product": { + "product_data": [ + { + "product_name": "Red Hat OpenStack Platform 16.2", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3261", + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2022-3261" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128834", + "refsource": "MISC", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2128834" + } + ] + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2022/40xxx/CVE-2022-40716.json b/2022/40xxx/CVE-2022-40716.json index 2e642bb75cf..d6e37775db8 100644 --- a/2022/40xxx/CVE-2022-40716.json +++ b/2022/40xxx/CVE-2022-40716.json @@ -71,6 +71,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-cf3551046d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-b9c1d0e4c5", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] } diff --git a/2022/41xxx/CVE-2022-41717.json b/2022/41xxx/CVE-2022-41717.json index d42c1287b4e..7b6e11d7e5c 100644 --- a/2022/41xxx/CVE-2022-41717.json +++ b/2022/41xxx/CVE-2022-41717.json @@ -137,6 +137,16 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/" } ] }, diff --git a/2023/0xxx/CVE-2023-0813.json b/2023/0xxx/CVE-2023-0813.json index 9585540068d..e27c6a4bd52 100644 --- a/2023/0xxx/CVE-2023-0813.json +++ b/2023/0xxx/CVE-2023-0813.json @@ -1,17 +1,121 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-0813", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Authorization", + "cweId": "CWE-285" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "network-observability-console-plugin-container", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + }, + { + "vendor_name": "Red Hat", + "product": { + "product_data": [ + { + "product_name": "NETWORK-OBSERVABILITY-1.1.0-RHEL-8", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "version": "v1.1.0-10", + "lessThan": "*", + "versionType": "rpm", + "status": "unaffected" + } + ], + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://access.redhat.com/errata/RHSA-2023:0786", + "refsource": "MISC", + "name": "https://access.redhat.com/errata/RHSA-2023:0786" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0813", + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2023-0813" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169468", + "refsource": "MISC", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2169468" + } + ] + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2023/0xxx/CVE-2023-0845.json b/2023/0xxx/CVE-2023-0845.json index 567466f13ca..312dbe81d54 100644 --- a/2023/0xxx/CVE-2023-0845.json +++ b/2023/0xxx/CVE-2023-0845.json @@ -111,6 +111,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/0xxx/CVE-2023-0923.json b/2023/0xxx/CVE-2023-0923.json index 50e36edc7fa..6f9168dd2a4 100644 --- a/2023/0xxx/CVE-2023-0923.json +++ b/2023/0xxx/CVE-2023-0923.json @@ -1,17 +1,121 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-0923", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing Authorization", + "cweId": "CWE-862" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "odh-notebook-controller-container", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + }, + { + "vendor_name": "Red Hat", + "product": { + "product_data": [ + { + "product_name": "RHODS-1.22-RHEL-8", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "version": "v1.22.1-3", + "lessThan": "*", + "versionType": "rpm", + "status": "unaffected" + } + ], + "defaultStatus": "affected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://access.redhat.com/errata/RHSA-2023:0977", + "refsource": "MISC", + "name": "https://access.redhat.com/errata/RHSA-2023:0977" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0923", + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2023-0923" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2171870", + "refsource": "MISC", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2171870" + } + ] + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2023/1xxx/CVE-2023-1576.json b/2023/1xxx/CVE-2023-1576.json index 8801c44270e..347b1b93966 100644 --- a/2023/1xxx/CVE-2023-1576.json +++ b/2023/1xxx/CVE-2023-1576.json @@ -5,66 +5,14 @@ "CVE_data_meta": { "ID": "CVE-2023-1576", "ASSIGNER": "secalert@redhat.com", - "STATE": "PUBLIC" + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "A Heap buffer overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool) was found in p7zip 16.02.\n" + "value": "** REJECT ** This is a duplicate of an earlier CVE, CVE-2022-47069." } ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-119", - "cweId": "CWE-119" - } - ] - } - ] - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "p7zip", - "product": { - "product_data": [ - { - "product_name": "p7zip", - "version": { - "version_data": [ - { - "version_affected": "=", - "version_value": "16.02" - } - ] - } - } - ] - } - } - ] - } - }, - "references": { - "reference_data": [ - { - "url": "https://sourceforge.net/p/p7zip/bugs/241/", - "refsource": "MISC", - "name": "https://sourceforge.net/p/p7zip/bugs/241/" - } - ] - }, - "generator": { - "engine": "Vulnogram 0.1.0-dev" - }, - "source": { - "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2023/25xxx/CVE-2023-25173.json b/2023/25xxx/CVE-2023-25173.json index 30538b21531..584dae4bd37 100644 --- a/2023/25xxx/CVE-2023-25173.json +++ b/2023/25xxx/CVE-2023-25173.json @@ -112,6 +112,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/26xxx/CVE-2023-26054.json b/2023/26xxx/CVE-2023-26054.json index 87ac402f5f0..7581940adbb 100644 --- a/2023/26xxx/CVE-2023-26054.json +++ b/2023/26xxx/CVE-2023-26054.json @@ -73,6 +73,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/28xxx/CVE-2023-28366.json b/2023/28xxx/CVE-2023-28366.json index 99d16a4acd3..59d80efbd90 100644 --- a/2023/28xxx/CVE-2023-28366.json +++ b/2023/28xxx/CVE-2023-28366.json @@ -71,6 +71,11 @@ "refsource": "CONFIRM", "name": "https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9", "url": "https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-9adc4be8b0", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/" } ] } diff --git a/2023/28xxx/CVE-2023-28840.json b/2023/28xxx/CVE-2023-28840.json index 977259d45cc..4485221447e 100644 --- a/2023/28xxx/CVE-2023-28840.json +++ b/2023/28xxx/CVE-2023-28840.json @@ -111,6 +111,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/28xxx/CVE-2023-28841.json b/2023/28xxx/CVE-2023-28841.json index 2e293e80888..421d3f27fde 100644 --- a/2023/28xxx/CVE-2023-28841.json +++ b/2023/28xxx/CVE-2023-28841.json @@ -116,6 +116,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/28xxx/CVE-2023-28842.json b/2023/28xxx/CVE-2023-28842.json index 3aed89e0bfa..bcfbcd76c8c 100644 --- a/2023/28xxx/CVE-2023-28842.json +++ b/2023/28xxx/CVE-2023-28842.json @@ -101,6 +101,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ] }, diff --git a/2023/33xxx/CVE-2023-33551.json b/2023/33xxx/CVE-2023-33551.json index 127fe96e138..a97fefbca46 100644 --- a/2023/33xxx/CVE-2023-33551.json +++ b/2023/33xxx/CVE-2023-33551.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-f838326992", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHOIRL6XH5NYR3LYI3KP5DE4SDSQWR7W/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-aadd651a30", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGGIYW7PHYQM2NPYCJPSPSLULLD2P2PE/" } ] } diff --git a/2023/33xxx/CVE-2023-33552.json b/2023/33xxx/CVE-2023-33552.json index f9959e02e84..dfc62aa701c 100644 --- a/2023/33xxx/CVE-2023-33552.json +++ b/2023/33xxx/CVE-2023-33552.json @@ -61,6 +61,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-f838326992", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHOIRL6XH5NYR3LYI3KP5DE4SDSQWR7W/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-aadd651a30", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGGIYW7PHYQM2NPYCJPSPSLULLD2P2PE/" } ] } diff --git a/2023/36xxx/CVE-2023-36674.json b/2023/36xxx/CVE-2023-36674.json index 366d6f28f47..cb7f33b4f9f 100644 --- a/2023/36xxx/CVE-2023-36674.json +++ b/2023/36xxx/CVE-2023-36674.json @@ -66,6 +66,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-d8ae3c122e", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-7e9d6015f6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/" } ] } diff --git a/2023/36xxx/CVE-2023-36675.json b/2023/36xxx/CVE-2023-36675.json index a9ae2ef0c11..40640bf00d7 100644 --- a/2023/36xxx/CVE-2023-36675.json +++ b/2023/36xxx/CVE-2023-36675.json @@ -76,6 +76,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-d8ae3c122e", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-7e9d6015f6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/" } ] } diff --git a/2023/40xxx/CVE-2023-40167.json b/2023/40xxx/CVE-2023-40167.json index 2b904f8a90f..9d50a070ec3 100644 --- a/2023/40xxx/CVE-2023-40167.json +++ b/2023/40xxx/CVE-2023-40167.json @@ -11,7 +11,7 @@ "description_data": [ { "lang": "eng", - "value": "Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.6, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.6, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario." + "value": "Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario." } ] }, diff --git a/2023/40xxx/CVE-2023-40305.json b/2023/40xxx/CVE-2023-40305.json index 8f714b51974..f7c23584254 100644 --- a/2023/40xxx/CVE-2023-40305.json +++ b/2023/40xxx/CVE-2023-40305.json @@ -71,6 +71,11 @@ "refsource": "FEDORA", "name": "FEDORA-2023-67d8bcb63c", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MIUH3F63KQJWYR3FLKRZUYYRJOY6FYX/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2023-845edc1181", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OB6GB6FUFPV5VJAZIANDG4YNNDW6JNXX/" } ] } diff --git a/2023/40xxx/CVE-2023-40587.json b/2023/40xxx/CVE-2023-40587.json index 24e6e2d6fcf..f6b0f37e52b 100644 --- a/2023/40xxx/CVE-2023-40587.json +++ b/2023/40xxx/CVE-2023-40587.json @@ -78,6 +78,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQIPHQTM3XE5NIEXCTQFV2J2RK2YUSMT/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQIPHQTM3XE5NIEXCTQFV2J2RK2YUSMT/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYSDTQ7NP5GHPQ7HBE47MBJQK7YEIYMF/", + "refsource": "MISC", + "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYSDTQ7NP5GHPQ7HBE47MBJQK7YEIYMF/" } ] }, diff --git a/2023/41xxx/CVE-2023-41886.json b/2023/41xxx/CVE-2023-41886.json index 385f2def778..a2a1b8f5bf2 100644 --- a/2023/41xxx/CVE-2023-41886.json +++ b/2023/41xxx/CVE-2023-41886.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-41886", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "OpenRefine", + "product": { + "product_data": [ + { + "product_name": "OpenRefine", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "<= 3.7.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m", + "refsource": "MISC", + "name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m" + }, + { + "url": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d", + "refsource": "MISC", + "name": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d" + } + ] + }, + "source": { + "advisory": "GHSA-qqh2-wvmv-h72m", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2023/41xxx/CVE-2023-41887.json b/2023/41xxx/CVE-2023-41887.json index ff646e62a46..093551fd8d4 100644 --- a/2023/41xxx/CVE-2023-41887.json +++ b/2023/41xxx/CVE-2023-41887.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-41887", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "OpenRefine", + "product": { + "product_data": [ + { + "product_name": "OpenRefine", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "<= 3.7.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5", + "refsource": "MISC", + "name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5" + }, + { + "url": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511", + "refsource": "MISC", + "name": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511" + } + ] + }, + "source": { + "advisory": "GHSA-p3r5-x3hr-gpg5", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2023/41xxx/CVE-2023-41889.json b/2023/41xxx/CVE-2023-41889.json index 504b1d59311..4a13d564df6 100644 --- a/2023/41xxx/CVE-2023-41889.json +++ b/2023/41xxx/CVE-2023-41889.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-41889", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0.\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-176: Improper Handling of Unicode Encoding", + "cweId": "CWE-176" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "shirasagi", + "product": { + "product_data": [ + { + "product_name": "shirasagi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 1.18.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r", + "refsource": "MISC", + "name": "https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r" + }, + { + "url": "https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72", + "refsource": "MISC", + "name": "https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72" + }, + { + "url": "https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks", + "refsource": "MISC", + "name": "https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks" + } + ] + }, + "source": { + "advisory": "GHSA-xr45-c2jv-2v9r", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ] } diff --git a/2023/41xxx/CVE-2023-41900.json b/2023/41xxx/CVE-2023-41900.json index c8ac7d6d909..c99627a4147 100644 --- a/2023/41xxx/CVE-2023-41900.json +++ b/2023/41xxx/CVE-2023-41900.json @@ -1,17 +1,103 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-41900", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-1390: Weak Authentication", + "cweId": "CWE-1390" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "eclipse", + "product": { + "product_data": [ + { + "product_name": "jetty.project", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 9.4.21, <= 9.4.51" + }, + { + "version_affected": "=", + "version_value": ">= 10.0.0, <= 10.0.15" + }, + { + "version_affected": "=", + "version_value": ">= 11.0.0, <= 11.0.15" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48", + "refsource": "MISC", + "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48" + }, + { + "url": "https://github.com/eclipse/jetty.project/pull/9528", + "refsource": "MISC", + "name": "https://github.com/eclipse/jetty.project/pull/9528" + }, + { + "url": "https://github.com/eclipse/jetty.project/pull/9660", + "refsource": "MISC", + "name": "https://github.com/eclipse/jetty.project/pull/9660" + } + ] + }, + "source": { + "advisory": "GHSA-pwh8-58vv-vw48", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2023/41xxx/CVE-2023-41901.json b/2023/41xxx/CVE-2023-41901.json index 62c5f3eb1aa..74dfbef0948 100644 --- a/2023/41xxx/CVE-2023-41901.json +++ b/2023/41xxx/CVE-2023-41901.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-41901", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** Further research determined the issue is not a vulnerability." } ] } diff --git a/2023/42xxx/CVE-2023-42439.json b/2023/42xxx/CVE-2023-42439.json index 85d78a65af9..3ae115776f2 100644 --- a/2023/42xxx/CVE-2023-42439.json +++ b/2023/42xxx/CVE-2023-42439.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-42439", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. A SSRF vulnerability exists starting in version 3.2.0, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. The application is using a whitelist, but the whitelist can be bypassed. The bypass will trick the application that the first host is a whitelisted address, but the browser will use `@` or `%40` as a credential to the host geoserver on port 8080, this will return the data to that host on the response. As of time of publication, no patched version is available." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918: Server-Side Request Forgery (SSRF)", + "cweId": "CWE-918" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GeoNode", + "product": { + "product_data": [ + { + "product_name": "geonode", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 3.2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-pxg5-h34r-7q8p", + "refsource": "MISC", + "name": "https://github.com/GeoNode/geonode/security/advisories/GHSA-pxg5-h34r-7q8p" + } + ] + }, + "source": { + "advisory": "GHSA-pxg5-h34r-7q8p", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2023/42xxx/CVE-2023-42442.json b/2023/42xxx/CVE-2023-42442.json index 8f20e1835e9..45ab13ddde5 100644 --- a/2023/42xxx/CVE-2023-42442.json +++ b/2023/42xxx/CVE-2023-42442.json @@ -1,17 +1,99 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-42442", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-287: Improper Authentication", + "cweId": "CWE-287" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "jumpserver", + "product": { + "product_data": [ + { + "product_name": "jumpserver", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 3.0.0, < 3.5.5" + }, + { + "version_affected": "=", + "version_value": ">= 3.6.0, < 3.6.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw", + "refsource": "MISC", + "name": "https://github.com/jumpserver/jumpserver/security/advisories/GHSA-633x-3f4f-v9rw" + }, + { + "url": "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a", + "refsource": "MISC", + "name": "https://github.com/jumpserver/jumpserver/commit/0a58bba59cd275bab8e0ae58bf4b359fbc5eb74a" + }, + { + "url": "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91", + "refsource": "MISC", + "name": "https://github.com/jumpserver/jumpserver/blob/v3.6.1/apps/terminal/api/session/session.py#L91" + } + ] + }, + "source": { + "advisory": "GHSA-633x-3f4f-v9rw", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" } ] } diff --git a/2023/5xxx/CVE-2023-5004.json b/2023/5xxx/CVE-2023-5004.json new file mode 100644 index 00000000000..b2eb753e439 --- /dev/null +++ b/2023/5xxx/CVE-2023-5004.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-5004", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2023/5xxx/CVE-2023-5005.json b/2023/5xxx/CVE-2023-5005.json new file mode 100644 index 00000000000..bc9d10735c1 --- /dev/null +++ b/2023/5xxx/CVE-2023-5005.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-5005", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file