admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-06-12 16:01:32 +00:00
parent c17d84e4a4
commit 5d2e0f9c76
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
3 changed files with 192 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
2020/10xxx/CVE-2020-10136.json
View File

@ -1,124 +1,129 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-10136",
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2020-06-01T00:00:00.000Z",
"TITLE": "Decapsulation and routing of unidentified IP-in-IP traffic allows a remote, unauthenticated attacker to route arbitrary network traffic",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VU#636397"
],
"advisory": "VU#636397",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "IETF",
"product": {
"product_data": [
{
"product_name": "RFC2003 - IP Encapsulation within IP",
"version": {
"version_data": [
{
"version_name": "STD 1",
"version_affected": "=",
"version_value": "STD 1",
"platform": ""
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-10136",
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2020-06-01T00:00:00.000Z",
"TITLE": "Decapsulation and routing of unidentified IP-in-IP traffic allows a remote, unauthenticated attacker to route arbitrary network traffic",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VU#636397"
],
"advisory": "VU#636397",
"discovery": "EXTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "IETF",
"product": {
"product_data": [
{
"product_name": "RFC2003 - IP Encapsulation within IP",
"version": {
"version_data": [
{
"version_name": "STD 1",
"version_affected": "=",
"version_value": "STD 1",
"platform": ""
}
]
}
}
]
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-19 Data Processing Errors"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-19 Data Processing Errors"
}
]
}
]
}
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/636397/",
"name": "VU#636397"
},
{
"refsource": "MISC",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4",
"name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4"
},
{
"refsource": "MISC",
"url": "https://www.digi.com/resources/security",
"name": "https://www.digi.com/resources/security"
},
{
"refsource": "CERT-VN",
"name": "VU#636397",
"url": "https://www.kb.cert.org/vuls/id/636397"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Users can block IP-in-IP packets by filtering IP protocol number 4. Note this filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4)."
}
],
"solution": [
{
"lang": "eng",
"value": "Customers should apply the latest patch provided by the affected vendor that addresses this issue and prevents unspecified IP-in-IP packets from being processed. Devices manufacturers are urged to disable IP-in-IP in their default configuration and require their customers to explicitly configure IP-in-IP as and when needed."
}
],
"credit": [
{
"lang": "eng",
"value": "Thanks to Yannay Livneh for reporting this issue."
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/636397/",
"name": "VU#636397"
},
{
"refsource": "MISC",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4",
"name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4"
},
{
"refsource": "MISC",
"url": "https://www.digi.com/resources/security",
"name": "https://www.digi.com/resources/security"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Users can block IP-in-IP packets by filtering IP protocol number 4. Note this filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4)."
}
],
"solution": [
{
"lang": "eng",
"value": "Customers should apply the latest patch provided by the affected vendor that addresses this issue and prevents unspecified IP-in-IP packets from being processed. Devices manufacturers are urged to disable IP-in-IP in their default configuration and require their customers to explicitly configure IP-in-IP as and when needed."
}
],
"credit": [
{
"lang": "eng",
"value": "Thanks to Yannay Livneh for reporting this issue."
}
]
}

76
2020/14xxx/CVE-2020-14004.json
View File

@ -1,17 +1,81 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-14004",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-14004",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-14004",
"refsource": "MISC",
"name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-14004"
},
{
"url": "https://github.com/Icinga/icinga2/pull/8045/commits/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6",
"refsource": "MISC",
"name": "https://github.com/Icinga/icinga2/pull/8045/commits/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6"
},
{
"url": "https://github.com/Icinga/icinga2/releases",
"refsource": "MISC",
"name": "https://github.com/Icinga/icinga2/releases"
},
{
"refsource": "CONFIRM",
"name": "http://www.openwall.com/lists/oss-security/2020/06/12/1",
"url": "http://www.openwall.com/lists/oss-security/2020/06/12/1"
},
{
"refsource": "MISC",
"name": "https://github.com/Icinga/icinga2/compare/v2.12.0-rc1...master",
"url": "https://github.com/Icinga/icinga2/compare/v2.12.0-rc1...master"
}
]
}

2
2020/4xxx/CVE-2020-4046.json
View File

@ -86,7 +86,7 @@
"description_data": [
{
"lang": "eng",
"value": "In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin.\n\nThis has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34)."
"value": "In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34)."
}
]
},