diff --git a/2024/25xxx/CVE-2024-25711.json b/2024/25xxx/CVE-2024-25711.json new file mode 100644 index 00000000000..3031be40cde --- /dev/null +++ b/2024/25xxx/CVE-2024-25711.json @@ -0,0 +1,67 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2024-25711", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361", + "refsource": "MISC", + "name": "https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361" + }, + { + "url": "https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860e", + "refsource": "MISC", + "name": "https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860e" + } + ] + } +} \ No newline at end of file diff --git a/2024/25xxx/CVE-2024-25712.json b/2024/25xxx/CVE-2024-25712.json new file mode 100644 index 00000000000..30268ab6ef9 --- /dev/null +++ b/2024/25xxx/CVE-2024-25712.json @@ -0,0 +1,67 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2024-25712", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html", + "refsource": "MISC", + "name": "https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html" + }, + { + "url": "https://github.com/swaggo/http-swagger/releases/tag/v1.2.6", + "refsource": "MISC", + "name": "https://github.com/swaggo/http-swagger/releases/tag/v1.2.6" + } + ] + } +} \ No newline at end of file