From 79156e7eb918d47be6b3050161af9b8815b4a1ed Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 5 Jun 2018 17:04:33 -0400 Subject: [PATCH] - Synchronized data. --- 2017/7xxx/CVE-2017-7635.json | 53 +++++++++++++++++++++++- 2017/7xxx/CVE-2017-7636.json | 53 +++++++++++++++++++++++- 2017/7xxx/CVE-2017-7637.json | 53 +++++++++++++++++++++++- 2017/7xxx/CVE-2017-7639.json | 53 +++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000192.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000193.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000194.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000195.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000196.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000197.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000198.json | 66 +++++++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000202.json | 66 +++++++++++++++++++++++++++++- 2018/10xxx/CVE-2018-10057.json | 53 +++++++++++++++++++++++- 2018/10xxx/CVE-2018-10058.json | 53 +++++++++++++++++++++++- 2018/11xxx/CVE-2018-11586.json | 48 +++++++++++++++++++++- 2018/3xxx/CVE-2018-3617.json | 55 ++----------------------- 2018/3xxx/CVE-2018-3691.json | 2 + 2018/7xxx/CVE-2018-7884.json | 48 +++++++++++++++++++++- 18 files changed, 923 insertions(+), 76 deletions(-) diff --git a/2017/7xxx/CVE-2017-7635.json b/2017/7xxx/CVE-2017-7635.json index d245ac69314..13e7fdc2066 100644 --- a/2017/7xxx/CVE-2017-7635.json +++ b/2017/7xxx/CVE-2017-7635.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2017-7635", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "QNAP NAS application Proxy Server through version 1.2.0 does not utilize CSRF protections." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://www.qnap.com/en/security-advisory/nas-201806-01", + "refsource" : "CONFIRM", + "url" : "https://www.qnap.com/en/security-advisory/nas-201806-01" + }, + { + "name" : "1041025", + "refsource" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1041025" } ] } diff --git a/2017/7xxx/CVE-2017-7636.json b/2017/7xxx/CVE-2017-7636.json index 12da7a9f39e..05e9b246a26 100644 --- a/2017/7xxx/CVE-2017-7636.json +++ b/2017/7xxx/CVE-2017-7636.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2017-7636", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://www.qnap.com/en/security-advisory/nas-201806-01", + "refsource" : "CONFIRM", + "url" : "https://www.qnap.com/en/security-advisory/nas-201806-01" + }, + { + "name" : "1041025", + "refsource" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1041025" } ] } diff --git a/2017/7xxx/CVE-2017-7637.json b/2017/7xxx/CVE-2017-7637.json index 5c63611180b..d864613f672 100644 --- a/2017/7xxx/CVE-2017-7637.json +++ b/2017/7xxx/CVE-2017-7637.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2017-7637", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to run arbitrary OS commands against the system with root privileges." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://www.qnap.com/en/security-advisory/nas-201806-01", + "refsource" : "CONFIRM", + "url" : "https://www.qnap.com/en/security-advisory/nas-201806-01" + }, + { + "name" : "1041025", + "refsource" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1041025" } ] } diff --git a/2017/7xxx/CVE-2017-7639.json b/2017/7xxx/CVE-2017-7639.json index 9d3db7240a7..0ec9497ddb5 100644 --- a/2017/7xxx/CVE-2017-7639.json +++ b/2017/7xxx/CVE-2017-7639.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2017-7639", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "QNAP NAS application Proxy Server through version 1.2.0 does not authenticate requests properly. Successful exploitation can lead to change of the settings of Proxy Server." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://www.qnap.com/en/security-advisory/nas-201806-01", + "refsource" : "CONFIRM", + "url" : "https://www.qnap.com/en/security-advisory/nas-201806-01" + }, + { + "name" : "1041025", + "refsource" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1041025" } ] } diff --git a/2018/1000xxx/CVE-2018-1000192.json b/2018/1000xxx/CVE-2018-1000192.json index b795b52e4cb..54374258511 100644 --- a/2018/1000xxx/CVE-2018-1000192.json +++ b/2018/1000xxx/CVE-2018-1000192.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771"}]},"description": {"description_data": [{"lang": "eng","value": "A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.120 and older, LTS 2.107.2 and older"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.649497","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000192","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-200"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.649497", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000192", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.120 and older, LTS 2.107.2 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-771" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000193.json b/2018/1000xxx/CVE-2018-1000193.json index 175bd48db52..976b698337e 100644 --- a/2018/1000xxx/CVE-2018-1000193.json +++ b/2018/1000xxx/CVE-2018-1000193.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786"}]},"description": {"description_data": [{"lang": "eng","value": "A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.120 and older, LTS 2.107.2 and older"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.650984","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000193","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-150"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.650984", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000193", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.120 and older, LTS 2.107.2 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-150" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000194.json b/2018/1000xxx/CVE-2018-1000194.json index a762cac78f0..6e83e23cbe8 100644 --- a/2018/1000xxx/CVE-2018-1000194.json +++ b/2018/1000xxx/CVE-2018-1000194.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788"}]},"description": {"description_data": [{"lang": "eng","value": "A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.120 and older, LTS 2.107.2 and older"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.652065","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000194","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-22"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.652065", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000194", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.120 and older, LTS 2.107.2 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-22" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-788" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000195.json b/2018/1000xxx/CVE-2018-1000195.json index 7924788ce13..ee53503552e 100644 --- a/2018/1000xxx/CVE-2018-1000195.json +++ b/2018/1000xxx/CVE-2018-1000195.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.120 and older, LTS 2.107.2 and older"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.653459","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000195","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-441, CWE-918"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.653459", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000195", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.120 and older, LTS 2.107.2 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-441, CWE-918" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-794" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000196.json b/2018/1000xxx/CVE-2018-1000196.json index 1fe8c2188b9..fd9c9541392 100644 --- a/2018/1000xxx/CVE-2018-1000196.json +++ b/2018/1000xxx/CVE-2018-1000196.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263"}]},"description": {"description_data": [{"lang": "eng","value": "A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.4.2 and older"}]},"product_name": "Jenkins Gitlab Hook Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.654848","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000196","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.654848", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000196", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Gitlab Hook Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.4.2 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-522" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-263" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000197.json b/2018/1000xxx/CVE-2018-1000197.json index f7ce20eeb5c..520589499da 100644 --- a/2018/1000xxx/CVE-2018-1000197.json +++ b/2018/1000xxx/CVE-2018-1000197.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-670"}]},"description": {"description_data": [{"lang": "eng","value": "An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.0.3 and older"}]},"product_name": "Jenkins Black Duck Hub Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.656691","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000197","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.656691", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000197", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Black Duck Hub Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.0.3 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-670", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-670" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000198.json b/2018/1000xxx/CVE-2018-1000198.json index e1dcd279ceb..d646cf94f97 100644 --- a/2018/1000xxx/CVE-2018-1000198.json +++ b/2018/1000xxx/CVE-2018-1000198.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-671"}]},"description": {"description_data": [{"lang": "eng","value": "A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entitites in an XML document."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.1.0 and older"}]},"product_name": "Jenkins Black Duck Hub Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.658252","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000198","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-611"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.658252", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000198", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Black Duck Hub Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.1.0 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-611" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-671", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-671" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000202.json b/2018/1000xxx/CVE-2018-1000202.json index c535b42c11d..9424d878960 100644 --- a/2018/1000xxx/CVE-2018-1000202.json +++ b/2018/1000xxx/CVE-2018-1000202.json @@ -1 +1,65 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-821"}]},"description": {"description_data": [{"lang": "eng","value": "A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.3.1 and older"}]},"product_name": "Jenkins Groovy Postbuild Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-06-05T13:57:43.659756","DATE_REQUESTED": "2018-05-09T00:00:00","ID": "CVE-2018-1000202","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-06-05T13:57:43.659756", + "DATE_REQUESTED" : "2018-05-09T00:00:00", + "ID" : "CVE-2018-1000202", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Groovy Postbuild Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.3.1 and older" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-821", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-05-09/#SECURITY-821" + } + ] + } +} diff --git a/2018/10xxx/CVE-2018-10057.json b/2018/10xxx/CVE-2018-10057.json index 969d048221e..2e5cdcf3330 100644 --- a/2018/10xxx/CVE-2018-10057.json +++ b/2018/10xxx/CVE-2018-10057.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2018-10057", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal)." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "[oss-security] 20180603 CVE-2018-10058 and CVE-2018-10057 - cgminer <=4.10.0 and bfgminer <=5.5.0 remote management api post-auth buffer overflow and path traversal", + "refsource" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2018/06/03/1" + }, + { + "name" : "https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10057", + "refsource" : "MISC", + "url" : "https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10057" } ] } diff --git a/2018/10xxx/CVE-2018-10058.json b/2018/10xxx/CVE-2018-10058.json index c1077ac2b39..d174dd3a049 100644 --- a/2018/10xxx/CVE-2018-10058.json +++ b/2018/10xxx/CVE-2018-10058.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2018-10058", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,33 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the addpool, failover-only, poolquota, and save command handlers." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "[oss-security] 20180603 CVE-2018-10058 and CVE-2018-10057 - cgminer <=4.10.0 and bfgminer <=5.5.0 remote management api post-auth buffer overflow and path traversal", + "refsource" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2018/06/03/1" + }, + { + "name" : "https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10058", + "refsource" : "MISC", + "url" : "https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10058" } ] } diff --git a/2018/11xxx/CVE-2018-11586.json b/2018/11xxx/CVE-2018-11586.json index 5df8b0dd175..d22f9f85060 100644 --- a/2018/11xxx/CVE-2018-11586.json +++ b/2018/11xxx/CVE-2018-11586.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2018-11586", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,28 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "http://packetstormsecurity.com/files/148032/SearchBlox-8.6.7-XML-External-Entity-Injection.html", + "refsource" : "MISC", + "url" : "http://packetstormsecurity.com/files/148032/SearchBlox-8.6.7-XML-External-Entity-Injection.html" } ] } diff --git a/2018/3xxx/CVE-2018-3617.json b/2018/3xxx/CVE-2018-3617.json index 786e2798a84..d65a967ac01 100644 --- a/2018/3xxx/CVE-2018-3617.json +++ b/2018/3xxx/CVE-2018-3617.json @@ -1,32 +1,9 @@ { "CVE_data_meta" : { - "ASSIGNER" : "secure@intel.com", + "ASSIGNER" : "cve@mitre.org", "DATE_PUBLIC" : "2018-05-10T00:00:00", "ID" : "CVE-2018-3617", - "STATE" : "PUBLIC" - }, - "affects" : { - "vendor" : { - "vendor_data" : [ - { - "product" : { - "product_data" : [ - { - "product_name" : "Integrated Performance Primitives Cryptography Library", - "version" : { - "version_data" : [ - { - "version_value" : "before 2018 U2.1" - } - ] - } - } - ] - }, - "vendor_name" : "Intel Corporation" - } - ] - } + "STATE" : "REJECT" }, "data_format" : "MITRE", "data_type" : "CVE", @@ -35,33 +12,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Some implementations in Intel Integrated Performance Primitives Cryptography Library before version 2018 U2.1 do not properly ensure constant execution time." - } - ] - }, - "problemtype" : { - "problemtype_data" : [ - { - "description" : [ - { - "lang" : "eng", - "value" : "Information Disclosure" - } - ] - } - ] - }, - "references" : { - "reference_data" : [ - { - "name" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00106.html", - "refsource" : "CONFIRM", - "url" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00106.html" - }, - { - "name" : "104261", - "refsource" : "BID", - "url" : "http://www.securityfocus.com/bid/104261" + "value" : "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-3691. Reason: This candidate is a reservation duplicate of CVE-2018-3691. Notes: All CVE users should reference CVE-2018-3691 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2018/3xxx/CVE-2018-3691.json b/2018/3xxx/CVE-2018-3691.json index 4816f61271a..42f3a9f67a8 100644 --- a/2018/3xxx/CVE-2018-3691.json +++ b/2018/3xxx/CVE-2018-3691.json @@ -54,6 +54,8 @@ "references" : { "reference_data" : [ { + "name" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00106.html", + "refsource" : "CONFIRM", "url" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00106.html" } ] diff --git a/2018/7xxx/CVE-2018-7884.json b/2018/7xxx/CVE-2018-7884.json index 3d5a1df8ae3..30631fe6579 100644 --- a/2018/7xxx/CVE-2018-7884.json +++ b/2018/7xxx/CVE-2018-7884.json @@ -2,7 +2,30 @@ "CVE_data_meta" : { "ASSIGNER" : "cve@mitre.org", "ID" : "CVE-2018-7884", - "STATE" : "RESERVED" + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } }, "data_format" : "MITRE", "data_type" : "CVE", @@ -11,7 +34,28 @@ "description_data" : [ { "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value" : "An issue was discovered in DisplayLink Core Software Cleaner Application 8.2.1956. When the drivers are updated to a newer version, the product launches a process as SYSTEM to uninstall the old version: cl_1956.exe is run as SYSTEM on the %systemroot%\\Temp folder, where any user can write a DLL (e.g., version.dll) to perform DLL Hijacking and elevate privileges to SYSTEM." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "20180601 DisplayLink Installer 8.2.1956 DLL Hijack to privilege escalation CVE-2018-7884", + "refsource" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2018/Jun/1" } ] }