diff --git a/2020/11xxx/CVE-2020-11860.json b/2020/11xxx/CVE-2020-11860.json index 0cdec935d60..d56254d6898 100644 --- a/2020/11xxx/CVE-2020-11860.json +++ b/2020/11xxx/CVE-2020-11860.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-11860", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@suse.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Micro Focus", + "product": { + "product_data": [ + { + "product_name": "ArcSight Logger", + "version": { + "version_data": [ + { + "version_value": "All version prior to version 7.1.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site Scripting." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://community.microfocus.com/t5/Logger/Logger-Release-Notes-7-1-1/ta-p/2837600", + "url": "https://community.microfocus.com/t5/Logger/Logger-Release-Notes-7-1-1/ta-p/2837600" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)" } ] } diff --git a/2020/13xxx/CVE-2020-13352.json b/2020/13xxx/CVE-2020-13352.json index d15f0bbd82f..c0007ae4a22 100644 --- a/2020/13xxx/CVE-2020-13352.json +++ b/2020/13xxx/CVE-2020-13352.json @@ -4,15 +4,106 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13352", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab CE/EE", + "version": { + "version_data": [ + { + "version_value": ">=10.2" + }, + { + "version_value": "<13.3.9" + }, + { + "version_value": ">=13.4" + }, + { + "version_value": "<13.4.5" + }, + { + "version_value": ">=13.5" + }, + { + "version_value": "<13.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Exposure of private information ('privacy violation') in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/748315", + "url": "https://hackerone.com/reports/748315", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 3.6, + "baseSeverity": "LOW" + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13353.json b/2020/13xxx/CVE-2020-13353.json index b5935c372c8..911fa5d5929 100644 --- a/2020/13xxx/CVE-2020-13353.json +++ b/2020/13xxx/CVE-2020-13353.json @@ -4,15 +4,92 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13353", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "Gitaly", + "version": { + "version_data": [ + { + "version_value": ">=1.79.0, <13.3.9" + }, + { + "version_value": ">=13.4, <13.4.5" + }, + { + "version_value": ">=13.5, <13.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cleartext storage of sensitive information in Gitaly" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882", + "url": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 2.5, + "baseSeverity": "LOW" + } + }, + "credit": [ + { + "lang": "eng", + "value": "This vulnerability has been discovered internally by the GitLab team" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13354.json b/2020/13xxx/CVE-2020-13354.json index cd03877c60f..57806b72fd6 100644 --- a/2020/13xxx/CVE-2020-13354.json +++ b/2020/13xxx/CVE-2020-13354.json @@ -4,15 +4,94 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13354", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab CE/EE", + "version": { + "version_data": [ + { + "version_value": ">=12.6" + }, + { + "version_value": "<13.3.9" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Uncontrolled resource consumption in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/869875", + "url": "https://hackerone.com/reports/869875", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 4.2, + "baseSeverity": "MEDIUM" + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks [@anyday](https://hackerone.com/anyday) for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13358.json b/2020/13xxx/CVE-2020-13358.json index 9c0fb718c46..65d1612fb24 100644 --- a/2020/13xxx/CVE-2020-13358.json +++ b/2020/13xxx/CVE-2020-13358.json @@ -4,15 +4,101 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13358", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "Gitlab CE/EE", + "version": { + "version_data": [ + { + "version_value": ">=13.4" + }, + { + "version_value": "<13.4.5" + }, + { + "version_value": ">=13.3" + }, + { + "version_value": "<13.3.9" + }, + { + "version_value": ">=13.5" + }, + { + "version_value": "<13.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper authorization in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 4.6, + "baseSeverity": "MEDIUM" + } + }, + "credit": [ + { + "lang": "eng", + "value": "This vulnerability has been discovered internally by the GitLab team" + } + ] } \ No newline at end of file diff --git a/2020/25xxx/CVE-2020-25834.json b/2020/25xxx/CVE-2020-25834.json index 5af89c628da..23f34e026c7 100644 --- a/2020/25xxx/CVE-2020-25834.json +++ b/2020/25xxx/CVE-2020-25834.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-25834", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@suse.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Micro Focus", + "product": { + "product_data": [ + { + "product_name": "ArcSight Logger", + "version": { + "version_data": [ + { + "version_value": "7.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site Scripting." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://community.microfocus.com/t5/Logger/Logger-Release-Notes-7-1-1/ta-p/2837600", + "url": "https://community.microfocus.com/t5/Logger/Logger-Release-Notes-7-1-1/ta-p/2837600" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)." } ] } diff --git a/2020/26xxx/CVE-2020-26406.json b/2020/26xxx/CVE-2020-26406.json index eb5c2a06967..4fc1d9e0ca2 100644 --- a/2020/26xxx/CVE-2020-26406.json +++ b/2020/26xxx/CVE-2020-26406.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-26406", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab EE", + "version": { + "version_data": [ + { + "version_value": ">=13.3, <13.3.9" + }, + { + "version_value": ">=13.4, <13.4.5" + }, + { + "version_value": ">=13.5, <13.5.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information exposure in GitLab EE" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/965602", + "url": "https://hackerone.com/reports/965602", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file