admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-08-28 08:00:31 +00:00
parent 3d272325fa
commit 7c492e3205
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
3 changed files with 156 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2020/19xxx/CVE-2020-19909.json
View File

@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay."
"value": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay. NOTE: some third parties report that this has no direct security impact on the curl user; however, it may cause a denial of service to associated systems or networks if, for example, --retry-delay is interpreted as a value much smaller than what was intended."
}
]
},

82
2023/27xxx/CVE-2023-27604.json
View File

@ -1,18 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-27604",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via \u2018sqoop import --connect\u2019, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.\n\n It is recommended to upgrade to a version that is not affected.\nThis issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it."
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation",
"cweId": "CWE-20"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Apache Software Foundation",
"product": {
"product_data": [
{
"product_name": "Apache Airflow Sqoop Provider",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "0",
"version_value": "4.0.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/apache/airflow/pull/33039",
"refsource": "MISC",
"name": "https://github.com/apache/airflow/pull/33039"
},
{
"url": "https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd",
"refsource": "MISC",
"name": "https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"credits": [
{
"lang": "en",
"value": "happyhacking-k"
},
{
"lang": "en",
"value": "Xie Jianming of Caiji Sec Team"
},
{
"lang": "en",
"value": "Liu Hui of Caiji Sec Team"
}
]
}

83
2023/40xxx/CVE-2023-40195.json
View File

@ -1,18 +1,91 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-40195",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@apache.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\n\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\n\nTo view the warning in the docs please visit\u00a0 https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html \n\n"
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data",
"cweId": "CWE-502"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"cweId": "CWE-829"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Apache Software Foundation",
"product": {
"product_data": [
{
"product_name": "Apache Airflow Spark Provider",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "0",
"version_value": "4.1.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/apache/airflow/pull/33233",
"refsource": "MISC",
"name": "https://github.com/apache/airflow/pull/33233"
},
{
"url": "https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24",
"refsource": "MISC",
"name": "https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"credits": [
{
"lang": "en",
"value": "happyhacking-k"
}
]
}