From 750ed0725540934f918761ca74216028b6bfb16f Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 25 Jul 2023 09:00:34 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2022/31xxx/CVE-2022-31781.json | 85 +++++++++++++------------- 2022/33xxx/CVE-2022-33891.json | 105 ++++++++++++++++----------------- 2022/37xxx/CVE-2022-37400.json | 95 ++++++++++++++--------------- 2022/37xxx/CVE-2022-37401.json | 103 ++++++++++++++------------------ 2022/37xxx/CVE-2022-37435.json | 94 ++++++++++++++--------------- 2023/3xxx/CVE-2023-3890.json | 96 ++++++++++++++++++++++++++++-- 2023/3xxx/CVE-2023-3897.json | 91 ++++++++++++++++++++++++++-- 7 files changed, 403 insertions(+), 266 deletions(-) diff --git a/2022/31xxx/CVE-2022-31781.json b/2022/31xxx/CVE-2022-31781.json index ac35a680bdc..c2d1042fa97 100644 --- a/2022/31xxx/CVE-2022-31781.json +++ b/2022/31xxx/CVE-2022-31781.json @@ -1,14 +1,38 @@ { + "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", "CVE_data_meta": { - "ASSIGNER": "security@apache.org", "ID": "CVE-2022-31781", - "STATE": "PUBLIC", - "TITLE": "Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-1333 Inefficient Regular Expression Complexity", + "cweId": "CWE-1333" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "Apache Software Foundation", "product": { "product_data": [ { @@ -24,59 +48,30 @@ } } ] - }, - "vendor_name": "Apache Software Foundation" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": "CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother)." - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "references": { + "reference_data": [ { - "lang": "eng", - "value": "Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor." + "url": "https://www.openwall.com/lists/oss-security/2022/07/12/3", + "refsource": "MISC", + "name": "https://www.openwall.com/lists/oss-security/2022/07/12/3" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, - "impact": [ - { - "other": "low" - } - ], - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-400 Uncontrolled Resource Consumption" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://www.openwall.com/lists/oss-security/2022/07/12/3", - "name": "https://www.openwall.com/lists/oss-security/2022/07/12/3" - } - ] - }, "source": { "discovery": "UNKNOWN" - } + }, + "credits": [ + { + "lang": "en", + "value": "CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother)." + } + ] } \ No newline at end of file diff --git a/2022/33xxx/CVE-2022-33891.json b/2022/33xxx/CVE-2022-33891.json index f42013e79da..8b8f6db3a60 100644 --- a/2022/33xxx/CVE-2022-33891.json +++ b/2022/33xxx/CVE-2022-33891.json @@ -1,14 +1,38 @@ { + "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", "CVE_data_meta": { - "ASSIGNER": "security@apache.org", "ID": "CVE-2022-33891", - "STATE": "PUBLIC", - "TITLE": "Apache Spark shell command injection vulnerability via Spark UI" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "cweId": "CWE-78" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "Apache Software Foundation", "product": { "product_data": [ { @@ -34,68 +58,33 @@ } } ] - }, - "vendor_name": "Apache Software Foundation" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": " Kostya Kortchinsky (Databricks)" - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "references": { + "reference_data": [ { - "lang": "eng", - "value": "The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1." + "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc", + "refsource": "MISC", + "name": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc" + }, + { + "url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html", + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/05/02/1", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2023/05/02/1" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, - "impact": [ - { - "other": "important" - } - ], - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc", - "name": "https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc" - }, - { - "refsource": "MISC", - "name": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html", - "url": "http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html" - }, - { - "refsource": "MLIST", - "name": "[oss-security] 20230502 CVE-2023-32007: Apache Spark: Shell command injection via Spark UI", - "url": "http://www.openwall.com/lists/oss-security/2023/05/02/1" - } - ] - }, "source": { "defect": [ "SPARK-38992" @@ -104,8 +93,14 @@ }, "work_around": [ { - "lang": "eng", + "lang": "en", "value": "Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later" } + ], + "credits": [ + { + "lang": "en", + "value": " Kostya Kortchinsky (Databricks)" + } ] } \ No newline at end of file diff --git a/2022/37xxx/CVE-2022-37400.json b/2022/37xxx/CVE-2022-37400.json index 1db94172231..12b7f43b472 100644 --- a/2022/37xxx/CVE-2022-37400.json +++ b/2022/37xxx/CVE-2022-37400.json @@ -1,14 +1,38 @@ { + "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", "CVE_data_meta": { - "ASSIGNER": "security@apache.org", "ID": "CVE-2022-37400", - "STATE": "PUBLIC", - "TITLE": "Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-330 Use of Insufficiently Random Values", + "cweId": "CWE-330" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "Apache Software Foundation", "product": { "product_data": [ { @@ -24,64 +48,35 @@ } } ] - }, - "vendor_name": "Apache Software Foundation" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": "OpenSource Security GmbH on behalf of the German Federal Office for Information Security" - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "references": { + "reference_data": [ { - "lang": "eng", - "value": "Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice" + "url": "https://www.openoffice.org/security/cves/CVE-2022-37400.html", + "refsource": "MISC", + "name": "https://www.openoffice.org/security/cves/CVE-2022-37400.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/13/1", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2022/08/13/1" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, - "impact": [ - { - "other": "important" - } - ], - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-326 Inadequate Encryption Strength" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://www.openoffice.org/security/cves/CVE-2022-37400.html", - "name": "https://www.openoffice.org/security/cves/CVE-2022-37400.html" - }, - { - "refsource": "MLIST", - "name": "[oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password", - "url": "http://www.openwall.com/lists/oss-security/2022/08/13/1" - } - ] - }, "source": { "discovery": "UNKNOWN" - } + }, + "credits": [ + { + "lang": "en", + "value": "OpenSource Security GmbH on behalf of the German Federal Office for Information Security" + } + ] } \ No newline at end of file diff --git a/2022/37xxx/CVE-2022-37401.json b/2022/37xxx/CVE-2022-37401.json index e3fb3433c31..0d37a1b4272 100644 --- a/2022/37xxx/CVE-2022-37401.json +++ b/2022/37xxx/CVE-2022-37401.json @@ -1,14 +1,38 @@ { + "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", "CVE_data_meta": { - "ASSIGNER": "security@apache.org", "ID": "CVE-2022-37401", - "STATE": "PUBLIC", - "TITLE": "Apache OpenOffice Weak Master Keys" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-331 Insufficient Entropy", + "cweId": "CWE-331" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "Apache Software Foundation", "product": { "product_data": [ { @@ -24,72 +48,35 @@ } } ] - }, - "vendor_name": "Apache Software Foundation" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": " OpenSource Security GmbH on behalf of the German Federal Office for Information Security" - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "references": { + "reference_data": [ { - "lang": "eng", - "value": "Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice" + "url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html", + "refsource": "MISC", + "name": "https://www.openoffice.org/security/cves/CVE-2022-37401.html" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2022/08/13/2", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2022/08/13/2" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, - "impact": [ - { - "other": "important" - } - ], - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-312 Cleartext Storage of Sensitive Information" - } - ] - }, - { - "description": [ - { - "lang": "eng", - "value": "CWE-326 Inadequate Encryption Strength" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html", - "name": "https://www.openoffice.org/security/cves/CVE-2022-37401.html" - }, - { - "refsource": "MLIST", - "name": "[oss-security] 20220812 CVE-2022-37401: Apache OpenOffice Weak Master Keys", - "url": "http://www.openwall.com/lists/oss-security/2022/08/13/2" - } - ] - }, "source": { "discovery": "UNKNOWN" - } + }, + "credits": [ + { + "lang": "en", + "value": " OpenSource Security GmbH on behalf of the German Federal Office for Information Security" + } + ] } \ No newline at end of file diff --git a/2022/37xxx/CVE-2022-37435.json b/2022/37xxx/CVE-2022-37435.json index e47904bf086..ed79fb5bff0 100644 --- a/2022/37xxx/CVE-2022-37435.json +++ b/2022/37xxx/CVE-2022-37435.json @@ -1,44 +1,12 @@ { - "CVE_data_meta": { - "ASSIGNER": "security@apache.org", - "ID": "CVE-2022-37435", - "STATE": "PUBLIC", - "TITLE": "Apache ShenYu Admin Improper Privilege Management" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "Apache ShenYu", - "version": { - "version_data": [ - { - "version_affected": "=", - "version_name": "Apache ShenYu", - "version_value": "2.4.2 and 2.4.3" - } - ] - } - } - ] - }, - "vendor_name": "Apache Software Foundation" - } - ] - } - }, - "credit": [ - { - "lang": "eng", - "value": "Apache ShenYu would like to thank Lulu Gu for reporting this issue." - } - ], - "data_format": "MITRE", - "data_type": "CVE", "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", + "CVE_data_meta": { + "ID": "CVE-2022-37435", + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, "description": { "description_data": [ { @@ -47,42 +15,68 @@ } ] }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, - "impact": [ - { - "other": "moderate" - } - ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", - "value": "CWE-269 Improper Privilege Management" + "value": "CWE-732 Incorrect Permission Assignment for Critical Resource", + "cweId": "CWE-732" } ] } ] }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Apache Software Foundation", + "product": { + "product_data": [ + { + "product_name": "Apache ShenYu", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "Apache ShenYu 2.4.2 and 2.4.3" + } + ] + } + } + ] + } + } + ] + } + }, "references": { "reference_data": [ { - "refsource": "MISC", "url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28", + "refsource": "MISC", "name": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28" } ] }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, "source": { "discovery": "UNKNOWN" }, "work_around": [ { - "lang": "eng", + "lang": "en", "value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658." } + ], + "credits": [ + { + "lang": "en", + "value": "Apache ShenYu would like to thank Lulu Gu for reporting this issue." + } ] } \ No newline at end of file diff --git a/2023/3xxx/CVE-2023-3890.json b/2023/3xxx/CVE-2023-3890.json index d0dac185ac9..0af31cbfffa 100644 --- a/2023/3xxx/CVE-2023-3890.json +++ b/2023/3xxx/CVE-2023-3890.json @@ -1,17 +1,105 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-3890", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability classified as problematic has been found in Campcodes Beauty Salon Management System 1.0. This affects an unknown part of the file /admin/edit-accepted-appointment.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235251." + }, + { + "lang": "deu", + "value": "Es wurde eine Schwachstelle in Campcodes Beauty Salon Management System 1.0 entdeckt. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei /admin/edit-accepted-appointment.php. Mittels dem Manipulieren des Arguments id mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross Site Scripting", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Campcodes", + "product": { + "product_data": [ + { + "product_name": "Beauty Salon Management System", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.235251", + "refsource": "MISC", + "name": "https://vuldb.com/?id.235251" + }, + { + "url": "https://vuldb.com/?ctiid.235251", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.235251" + }, + { + "url": "https://github.com/E1CHO/cve_hub/blob/main/Beauty%20Salon%20Management%20System/Beauty%20Salon%20Management%20System%20-%20vuln%2021.pdf", + "refsource": "MISC", + "name": "https://github.com/E1CHO/cve_hub/blob/main/Beauty%20Salon%20Management%20System/Beauty%20Salon%20Management%20System%20-%20vuln%2021.pdf" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SSL_Seven_Security Lab_WangZhiQiang_XiaoZiLong (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 3.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", + "baseSeverity": "LOW" + }, + { + "version": "3.0", + "baseScore": 3.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", + "baseSeverity": "LOW" + }, + { + "version": "2.0", + "baseScore": 4, + "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/3xxx/CVE-2023-3897.json b/2023/3xxx/CVE-2023-3897.json index 7a5404fd5c8..eacd9bbdfce 100644 --- a/2023/3xxx/CVE-2023-3897.json +++ b/2023/3xxx/CVE-2023-3897.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-3897", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@42gears.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "User enumeration in On-premise SureMDM Solution on Windows deployment allows attacker to enumerate local user information via error message.This issue affects SureMDM On-premise: 6.31 and below version\u00a0\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-203 Observable Discrepancy", + "cweId": "CWE-203" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Onpremise SureMDM Solution", + "product": { + "product_data": [ + { + "product_name": " SureMDM Onpremise", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "6.31" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.42gears.com/security-and-compliance", + "refsource": "MISC", + "name": "https://www.42gears.com/security-and-compliance" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Upgrade to the latest version of On-premise SureMDM Solution." + } + ], + "value": "Upgrade to the latest version of\u00a0On-premise SureMDM Solution." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] }