diff --git a/2021/28xxx/CVE-2021-28129.json b/2021/28xxx/CVE-2021-28129.json index 363e447b3c7..43e13171a0a 100644 --- a/2021/28xxx/CVE-2021-28129.json +++ b/2021/28xxx/CVE-2021-28129.json @@ -1,18 +1,82 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@apache.org", "ID": "CVE-2021-28129", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupid" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache OpenOffice", + "version": { + "version_data": [ + { + "platform": "Linux DEB installs", + "version_affected": "=", + "version_name": "Apache OpenOffice", + "version_value": "4.1.8" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Arrigo Marchiori" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist.\n\nUsers who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "low" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284 Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://lists.apache.org/thread.html/rc9090ab48b4699494b63b35cd6d7414c52d665ecae12add3cdc56c9b%40%3Cusers.openoffice.apache.org%3E" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} \ No newline at end of file +} diff --git a/2021/40xxx/CVE-2021-40439.json b/2021/40xxx/CVE-2021-40439.json index 27036bf13c5..f71c3cc6fbd 100644 --- a/2021/40xxx/CVE-2021-40439.json +++ b/2021/40xxx/CVE-2021-40439.json @@ -1,18 +1,80 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@apache.org", "ID": "CVE-2021-40439", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Billion Laughs" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache OpenOffice", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "Apache OpenOffice", + "version_value": "4.1.10" + }, + { + "version_affected": "<=", + "version_name": "OpenOffice.org", + "version_value": "3.4" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a \"Billion Laughs\" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files.\n\nAll versions of Apache OpenOffice up to 4.1.10 are subject to this issue.\n\nexpat in version 4.1.11 is patched." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "medium" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611 Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} \ No newline at end of file +} diff --git a/2021/42xxx/CVE-2021-42013.json b/2021/42xxx/CVE-2021-42013.json index 08f6632c660..2b1d5699eda 100644 --- a/2021/42xxx/CVE-2021-42013.json +++ b/2021/42xxx/CVE-2021-42013.json @@ -1,4 +1,51 @@ { +<<<<<<< HEAD + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2021-42013", + "STATE": "PUBLIC", + "TITLE": "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache HTTP Server", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "Apache HTTP Server", + "version_value": "2.4.49" + }, + { + "version_affected": "=", + "version_name": "Apache HTTP Server", + "version_value": "2.4.50" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", +======= "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", @@ -7,12 +54,59 @@ "ASSIGNER": "cve@mitre.org", "STATE": "RESERVED" }, +>>>>>>> 4e45ffec8edeb016fb28f22ab8ed1fb0989b4f47 "description": { "description_data": [ { "lang": "eng", +<<<<<<< HEAD + "value": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "critical" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "timeline": [ + { + "lang": "eng", + "time": "2021-10-06", + "value": "reported" + } + ] +} +======= "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." } ] } -} \ No newline at end of file +} +>>>>>>> 4e45ffec8edeb016fb28f22ab8ed1fb0989b4f47