diff --git a/2022/36xxx/CVE-2022-36963.json b/2022/36xxx/CVE-2022-36963.json index 76fbd75a42e..f0dfb363e39 100644 --- a/2022/36xxx/CVE-2022-36963.json +++ b/2022/36xxx/CVE-2022-36963.json @@ -1,18 +1,105 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "psirt@solarwinds.com", + "DATE_PUBLIC": "2023-04-17T23:00:00.000Z", "ID": "CVE-2022-36963", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "SolarWinds Platform Deserialization of Untrusted Data Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SolarWinds Platform", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2023.1 and prior versions", + "version_value": "2023.2" + } + ] + } + } + ] + }, + "vendor_name": "SolarWinds Platform Command Injection Vulnerability" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SolarWinds would like to thank Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative for reporting on the issue in a responsible manner." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands." } ] + }, + "generator": { + "engine": "vulnogram 0.1.0-rc1" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963", + "name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963" + }, + { + "refsource": "MISC", + "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm", + "name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2" + } + ], + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/47xxx/CVE-2022-47505.json b/2022/47xxx/CVE-2022-47505.json index 36b418d5dc2..7d06f583309 100644 --- a/2022/47xxx/CVE-2022-47505.json +++ b/2022/47xxx/CVE-2022-47505.json @@ -1,18 +1,105 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "psirt@solarwinds.com", + "DATE_PUBLIC": "2023-04-17T23:00:00.000Z", "ID": "CVE-2022-47505", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "SolarWinds Platform Local Privilege Escalation Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SolarWinds Platform", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2023.1 and prior versions", + "version_value": "2023.2" + } + ] + } + } + ] + }, + "vendor_name": "SolarWinds" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SolarWinds would like to thank Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative for reporting on the issue in a responsible manner." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges." } ] + }, + "generator": { + "engine": "vulnogram 0.1.0-rc1" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-59 Improper Link Resolution Before File Access ('Link Following')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm", + "name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm" + }, + { + "refsource": "MISC", + "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505", + "name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2" + } + ], + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2022/47xxx/CVE-2022-47509.json b/2022/47xxx/CVE-2022-47509.json index 118df2e3b02..cc8028d2d9b 100644 --- a/2022/47xxx/CVE-2022-47509.json +++ b/2022/47xxx/CVE-2022-47509.json @@ -1,18 +1,105 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "psirt@solarwinds.com", + "DATE_PUBLIC": "2023-04-17T23:00:00.000Z", "ID": "CVE-2022-47509", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "SolarWinds Platform Incorrect Input Neutralization Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SolarWinds Platform", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2023.1 and prior versions", + "version_value": "2023.2" + } + ] + } + } + ] + }, + "vendor_name": "SolarWinds" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "SolarWinds would like to thank Juampa Rodriguez (@UnD3sc0n0c1d0) for reporting on the issue in a responsible manner." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML." } ] + }, + "generator": { + "engine": "vulnogram 0.1.0-rc1" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm", + "name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm" + }, + { + "refsource": "MISC", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509", + "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2" + } + ], + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2023/1xxx/CVE-2023-1532.json b/2023/1xxx/CVE-2023-1532.json index 250456f2484..f26b6b8e399 100644 --- a/2023/1xxx/CVE-2023-1532.json +++ b/2023/1xxx/CVE-2023-1532.json @@ -78,6 +78,11 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGWWGQULJ7QRNP4GY57HE7OO7VMRWMPN/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGWWGQULJ7QRNP4GY57HE7OO7VMRWMPN/" + }, + { + "url": "http://packetstormsecurity.com/files/171959/Chrome-media-mojom-VideoFrame-Missing-Validation.html", + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171959/Chrome-media-mojom-VideoFrame-Missing-Validation.html" } ] } diff --git a/2023/1xxx/CVE-2023-1534.json b/2023/1xxx/CVE-2023-1534.json index bbbdd618548..b537309a1e2 100644 --- a/2023/1xxx/CVE-2023-1534.json +++ b/2023/1xxx/CVE-2023-1534.json @@ -78,6 +78,16 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGWWGQULJ7QRNP4GY57HE7OO7VMRWMPN/", "refsource": "MISC", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGWWGQULJ7QRNP4GY57HE7OO7VMRWMPN/" + }, + { + "url": "http://packetstormsecurity.com/files/171961/Chrome-GL_ShaderBinary-Untrusted-Process-Exposure.html", + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171961/Chrome-GL_ShaderBinary-Untrusted-Process-Exposure.html" + }, + { + "url": "http://packetstormsecurity.com/files/171965/Chrome-SpvGetMappedSamplerName-Out-Of-Bounds-String-Copy.html", + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/171965/Chrome-SpvGetMappedSamplerName-Out-Of-Bounds-String-Copy.html" } ] } diff --git a/2023/26xxx/CVE-2023-26846.json b/2023/26xxx/CVE-2023-26846.json index 0add4e2ad25..057d6d0cb9b 100644 --- a/2023/26xxx/CVE-2023-26846.json +++ b/2023/26xxx/CVE-2023-26846.json @@ -59,8 +59,8 @@ }, { "refsource": "MISC", - "name": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26845", - "url": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26845" + "name": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26846", + "url": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26846" } ] } diff --git a/2023/26xxx/CVE-2023-26847.json b/2023/26xxx/CVE-2023-26847.json index 802113bf9ea..702c0b7466d 100644 --- a/2023/26xxx/CVE-2023-26847.json +++ b/2023/26xxx/CVE-2023-26847.json @@ -59,8 +59,8 @@ }, { "refsource": "MISC", - "name": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26845", - "url": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26845" + "name": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26847", + "url": "https://github.com/cassis-sec/CVE/tree/main/2023/CVE-2023-26847" } ] } diff --git a/2023/29xxx/CVE-2023-29924.json b/2023/29xxx/CVE-2023-29924.json index 845c6aa85c3..3d142178feb 100644 --- a/2023/29xxx/CVE-2023-29924.json +++ b/2023/29xxx/CVE-2023-29924.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2023-29924", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2023-29924", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "PowerJob V4.3.1 is vulnerable to Incorrect Access Control that allows for remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/PowerJob/PowerJob/issues/588", + "refsource": "MISC", + "name": "https://github.com/PowerJob/PowerJob/issues/588" + }, + { + "refsource": "MISC", + "name": "https://iotaa.cn/articles/62", + "url": "https://iotaa.cn/articles/62" } ] } diff --git a/2023/2xxx/CVE-2023-2231.json b/2023/2xxx/CVE-2023-2231.json index 20ee72a6b47..2c46dff15c3 100644 --- a/2023/2xxx/CVE-2023-2231.json +++ b/2023/2xxx/CVE-2023-2231.json @@ -11,7 +11,7 @@ "description_data": [ { "lang": "eng", - "value": "A vulnerability, which was classified as critical, was found in MAXTECH MAX-G866ac 0.4.1_TBRO_20160314. This affects an unknown part of the component Remote Management. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227001 was assigned to this vulnerability." + "value": "A vulnerability, which was classified as critical, was found in MAXTECH MAX-G866ac 0.4.1_TBRO_20160314. This affects an unknown part of the component Remote Management. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227001 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way." }, { "lang": "deu", diff --git a/2023/30xxx/CVE-2023-30618.json b/2023/30xxx/CVE-2023-30618.json index ea2e1513f84..7df285ccf20 100644 --- a/2023/30xxx/CVE-2023-30618.json +++ b/2023/30xxx/CVE-2023-30618.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-30618", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Kitchen-Terraform provides a set of Test Kitchen plugins which enable the use of Test Kitchen to converge a Terraform configuration and verify the resulting infrastructure systems with InSpec controls. Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default. An attacker would need access to the local machine in order to gain access to these logs during an operation. Users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-532: Insertion of Sensitive Information into Log File", + "cweId": "CWE-532" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "newcontext-oss", + "product": { + "product_data": [ + { + "product_name": "kitchen-terraform", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 7.0.0, < 7.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6", + "refsource": "MISC", + "name": "https://github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6" + }, + { + "url": "https://github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48", + "refsource": "MISC", + "name": "https://github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48" + } + ] + }, + "source": { + "advisory": "GHSA-65g2-x53q-cmf6", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.2, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", + "version": "3.1" } ] }