admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2019-09-11 21:00:51 +00:00
parent 135c33c42c
commit 5f08a97ed1
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
11 changed files with 464 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2018/10xxx/CVE-2018-10931.json
View File

@ -71,6 +71,11 @@
"name": "RHSA-2018:2372",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2372"
},
{
"refsource": "FEDORA",
"name": "FEDORA-2019-3cacfb34ad",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/"
}
]
}

64
2018/17xxx/CVE-2018-17200.json
View File

@ -1,17 +1,61 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-17200",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"description": {
"description_data": [
"CVE_data_meta": {
"ID": "CVE-2018-17200",
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"vendor_name": "Apache",
"product": {
"product_data": [
{
"product_name": "OFBiz",
"version": {
"version_data": [
{
"version_value": "OFBiz 16.11.01 to 16.11.05"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MLIST",
"name": "[ofbiz-dev] 20190910 [CVE-2018-17200] Apache OFBiz unauthenticated remote code execution vulnerability in HttpEngine",
"url": "https://s.apache.org/m9boi"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019"
}
]
}

64
2019/0xxx/CVE-2019-0189.json
View File

@ -1,17 +1,61 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-0189",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"description": {
"description_data": [
"CVE_data_meta": {
"ID": "CVE-2019-0189",
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"vendor_name": "Apache",
"product": {
"product_data": [
{
"product_name": "OFBiz",
"version": {
"version_data": [
{
"version_value": "OFBiz 16.11.01 to 16.11.05"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MLIST",
"name": "[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java",
"url": "https://s.apache.org/hsn2g"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"
}
]
}

50
2019/10xxx/CVE-2019-10073.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-10073",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Apache",
"product": {
"product_data": [
{
"product_name": "OFBiz",
"version": {
"version_data": [
{
"version_value": "OFBiz 16.11.01 to 16.11.05"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MLIST",
"name": "[ofbiz-dev] 20190910 [CVE-2019-10073] Apache OFBiz XSS vulnerability in the \"ecommerce\" component",
"url": "https://s.apache.org/w6edy"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The \"Blog\", \"Forum\", \"Contact Us\" screens of the template \"ecommerce\" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616"
}
]
}

50
2019/10xxx/CVE-2019-10074.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-10074",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Apache",
"product": {
"product_data": [
{
"product_name": "OFBiz",
"version": {
"version_data": [
{
"version_value": "OFBiz 16.11.01 to 16.11.05"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MLIST",
"name": "[ofbiz-dev] 20190910 [CVE-2019-10074] Apache OFBiz RCE (template injection)",
"url": "https://s.apache.org/r49vw"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request \"story\" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533"
}
]
}

5
2019/12xxx/CVE-2019-12401.json
View File

@ -54,6 +54,11 @@
"refsource": "MLIST",
"name": "[www-announce] 20190909 [SECURITY] CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0",
"url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E"
},
{
"refsource": "MLIST",
"name": "[lucene-dev] 20190911 [jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0",
"url": "https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E"
}
]
},

5
2019/13xxx/CVE-2019-13520.json
View File

@ -53,6 +53,11 @@
"refsource": "MISC",
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-798/",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-798/"
},
{
"refsource": "MISC",
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-820/",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-820/"
}
]
},

62
2019/13xxx/CVE-2019-13536.json Normal file
View File

@ -0,0 +1,62 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-13536",
"ASSIGNER": "ics-cert@hq.dhs.gov",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Delta Electronics",
"product": {
"product_data": [
{
"product_name": "TPEditor",
"version": {
"version_data": [
{
"version_value": "1.94 and prior"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HEAP-BASED BUFFER OVERFLOW CWE-122"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Delta Electronics TPEditor, Versions 1.94 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to remotely execute arbitrary code."
}
]
}
}

62
2019/13xxx/CVE-2019-13540.json Normal file
View File

@ -0,0 +1,62 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-13540",
"ASSIGNER": "ics-cert@hq.dhs.gov",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Delta Electronics",
"product": {
"product_data": [
{
"product_name": "TPEditor",
"version": {
"version_data": [
{
"version_value": "1.94 and prior"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "STACK-BASED BUFFER OVERFLOW CWE-121"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Delta Electronics TPEditor, Versions 1.94 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to remotely execute arbitrary code."
}
]
}
}

62
2019/13xxx/CVE-2019-13544.json Normal file
View File

@ -0,0 +1,62 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2019-13544",
"ASSIGNER": "ics-cert@hq.dhs.gov",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Delta Electronics",
"product": {
"product_data": [
{
"product_name": "TPEditor",
"version": {
"version_data": [
{
"version_value": "1.94 and prior"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OUT-OF-BOUNDS WRITE CWE-787"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-01"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Delta Electronics TPEditor, Versions 1.94 and prior. Multiple out-of-bounds write vulnerabilities may be exploited by processing specially crafted project files, which may allow remote code execution."
}
]
}
}

67
2019/15xxx/CVE-2019-15302.json Normal file
View File

@ -0,0 +1,67 @@
{
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The pad management logic in XWiki labs CryptPad before 3.0.0 allows a remote attacker (who has access to a Rich Text pad with editing rights for the URL) to corrupt it (i.e., cause data loss) via a trivial URL modification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/xwiki-labs/cryptpad/commits/staging",
"refsource": "MISC",
"name": "https://github.com/xwiki-labs/cryptpad/commits/staging"
},
{
"refsource": "CONFIRM",
"name": "https://github.com/xwiki-labs/cryptpad/releases/tag/3.0.0",
"url": "https://github.com/xwiki-labs/cryptpad/releases/tag/3.0.0"
}
]
}
}