admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-21 05:40:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-06-30 17:01:28 +00:00
parent bfb9040e50
commit 7a0f23a905
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
4 changed files with 49 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
2020/13xxx/CVE-2020-13095.json
View File

@ -5,13 +5,57 @@
"CVE_data_meta": {
"ID": "CVE-2020-13095",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "Little Snitch",
"version": {
"version_data": [
{
"version_value": "up to 4.5.1"
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://obdev.at/cve/2020-13095-t46oXJJOwz.html",
"url": "https://obdev.at/cve/2020-13095-t46oXJJOwz.html"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Little Snitch version 4.5.1 and older changed ownership of a directory path controlled by the user. This allowed the user to escalate to root by linking the path to a directory containing code executed by root."
}
]
}

2
2020/15xxx/CVE-2020-15084.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.\n\nYou are affected by this vulnerability if all of the following conditions apply:\n- You are using express-jwt\n- You do not have **algorithms** configured in your express-jwt configuration.\n- You are using libraries such as jwks-rsa as the **secret**. \n\nYou can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example.\n\nThis is also fixed in version 6.0.0."
"value": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0."
}
]
},

2
2020/15xxx/CVE-2020-15085.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password.\n\nIn versions prior to 2.10.0 persisted the cache even after the user logged out.\n\nThis is fixed in version 2.10.3.\n\nA workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront."
"value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront."
}
]
},

2
2020/15xxx/CVE-2020-15087.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. \n\nThis impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure.\n\nThis only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver.\n\nThis vulnerability has been fixed in version 337.\n\nAdditionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers. "
"value": "In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers."
}
]
},