admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 18:28:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-06-30 18:01:28 +00:00
parent 1942672000
commit 7e60917be5
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
7 changed files with 213 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
2020/10xxx/CVE-2020-10597.json
View File

@ -15,11 +15,11 @@
"product": {
"product_data": [
{
"product_name": "Insulet Omnipod Insulin Management System",
"product_name": "Delta Industrial Automation DOPSoft",
"version": {
"version_data": [
{
"version_value": "The following versions of the Omnipod Insulin Management System are affected Product ID/Reorder number: 19191 and 40160, UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)"
"version_value": "DOPSoft Version 4.00.08.15 and prior."
}
]
}
@ -36,7 +36,7 @@
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
"value": "OUT-OF-BOUNDS READ CWE-125"
}
]
}
@ -46,8 +46,8 @@
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.us-cert.gov/ics/advisories/icsma-20-079-01",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-079-01"
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-182-01",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-182-01"
}
]
},
@ -55,7 +55,7 @@
"description_data": [
{
"lang": "eng",
"value": "The affected insulin pump is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
"value": "Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. Multiple out-of-bounds read vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read information and/or crash the application."
}
]
}

30
2020/11xxx/CVE-2020-11989.json
View File

@ -48,6 +48,36 @@
"refsource": "MISC",
"name": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[shiro-dev] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[shiro-commits] 20200622 svn commit: r1879089 - /shiro/site/publish/security-reports.html",
"url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[shiro-commits] 20200622 svn commit: r1879088 - /shiro/site/publish/security-reports.html",
"url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[shiro-user] 20200622 [Announce] CVE-2020-11989: Authentication Bypass by Primary Weakness",
"url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[geode-dev] 20200630 Re: Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[geode-dev] 20200630 Proposal to bring GEODE-8315 (shiro upgrade) to support branches",
"url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E"
}
]
},

50
2020/14xxx/CVE-2020-14482.json
View File

@ -4,14 +4,58 @@
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-14482",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "ics-cert@hq.dhs.gov",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "n/a",
"product": {
"product_data": [
{
"product_name": "Delta Industrial Automation DOPSoft",
"version": {
"version_data": [
{
"version_value": "DOPSoft Version 4.00.08.15 and prior."
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HEAP-BASED BUFFER OVERFLOW CWE-122"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-182-01",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-182-01"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. Opening a specially crafted project file may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the application to crash."
}
]
}

80
2020/15xxx/CVE-2020-15049.json
View File

@ -1,18 +1,86 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-15049",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-15049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch",
"refsource": "MISC",
"name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
},
{
"url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch",
"refsource": "MISC",
"name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
},
{
"refsource": "CONFIRM",
"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5",
"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.0"
}
}
}

56
2020/15xxx/CVE-2020-15307.json
View File

@ -1,17 +1,61 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2020-15307",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2020-15307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"name": "https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-stored-xss.html?nc=1",
"url": "https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-stored-xss.html?nc=1"
}
]
}

2
2020/5xxx/CVE-2020-5303.json
View File

@ -41,7 +41,7 @@
"description_data": [
{
"lang": "eng",
"value": "Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability.\n\nTendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.\n\nAdditionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking.\n\nThese issues are patched in Tendermint 0.33.3 and 0.32.10."
"value": "Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10."
}
]
},

10
2020/9xxx/CVE-2020-9296.json
View File

@ -15,11 +15,11 @@
"product": {
"product_data": [
{
"product_name": "Netflix Conductor",
"product_name": "Netflix Titus",
"version": {
"version_data": [
{
"version_value": "All versions prior to version v2.25.3"
"version_value": "All versions prior to version v0.1.1-rc.274"
}
]
}
@ -46,8 +46,8 @@
"reference_data": [
{
"refsource": "MISC",
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-001.md",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-001.md"
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
]
},
@ -55,7 +55,7 @@
"description_data": [
{
"lang": "eng",
"value": "Netflix Conductor uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
"value": "Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
}
]
}