Auto-merge PR#1336

2025-08-04 08:44:25 +00:00 · 2021-04-13 15:55:19 -04:00 · 2021-04-13 15:55:19 -04:00 · 6d0cd37740
commit 6d0cd37740
parent 8d64d4eb8a 137a393b10
1 changed files with 76 additions and 6 deletions
--- a/2021/29xxx/CVE-2021-29440.json
+++ b/2021/29xxx/CVE-2021-29440.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29440",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Twig allowing dangerous PHP functions by default"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "grav",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 1.7.11"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "getgrav"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Grav is a file based Web-platform.\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. \nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.\nThe issue was addressed in version 1.7.11. "
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 8.4,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "HIGH",
+            "scope": "CHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "{\"CWE-94\":\"Improper Control of Generation of Code ('Code Injection')\"}"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc"
+            },
+            {
+                "name": "https://packagist.org/packages/getgrav/grav",
+                "refsource": "MISC",
+                "url": "https://packagist.org/packages/getgrav/grav"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-g8r4-p96j-xfxc",
+        "discovery": "UNKNOWN"
    }
 }