From 5f583cbcce89376b76b04bdb2f411d4e6d808737 Mon Sep 17 00:00:00 2001 From: DellEMCProductSecurity Date: Thu, 13 Dec 2018 16:16:47 -0500 Subject: [PATCH] Publish CVE-2018-15754,15774,15776 --- 2018/15xxx/CVE-2018-15754.json | 101 ++++++++++++++++++++++++---- 2018/15xxx/CVE-2018-15774.json | 116 +++++++++++++++++++++++++++++---- 2018/15xxx/CVE-2018-15776.json | 96 +++++++++++++++++++++++---- 3 files changed, 277 insertions(+), 36 deletions(-) diff --git a/2018/15xxx/CVE-2018-15754.json b/2018/15xxx/CVE-2018-15754.json index 90790231b8f..f0213095bc0 100644 --- a/2018/15xxx/CVE-2018-15754.json +++ b/2018/15xxx/CVE-2018-15754.json @@ -1,18 +1,95 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2018-15754", - "STATE" : "RESERVED" + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2018-12-10T12:00:00.000Z", + "ID": "CVE-2018-15754", + "STATE": "PUBLIC", + "TITLE": "UAA issues tokens across identity providers if users with matching usernames exist" }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "UAA", + "version": { + "version_data": [ + { + "affected": "<", + "version_name": "all versions", + "version_value": "66.0" + }, + { + "affected": ">=", + "version_name": "all versions", + "version_value": "60.0" + } + ] + } + } + ] + }, + "vendor_name": "Cloud Foundry" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "This issue was responsibly reported by the UAA team of Pivotal.\n\n" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "Cloud Foundry UAA, all versions in v60.x, v61.x, v62.x, v63.x, and v64.x contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.cloudfoundry.org/blog/cve-2018-15754" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} +} \ No newline at end of file diff --git a/2018/15xxx/CVE-2018-15774.json b/2018/15xxx/CVE-2018-15774.json index 8014c70b9ed..2685e0f895e 100644 --- a/2018/15xxx/CVE-2018-15774.json +++ b/2018/15xxx/CVE-2018-15774.json @@ -1,18 +1,110 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2018-15774", - "STATE" : "RESERVED" + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2018-12-11T06:00:00.000Z", + "ID": "CVE-2018-15774", + "STATE": "PUBLIC", + "TITLE": "iDRAC7/iDRAC8/iDRAC9 - Privilege Escalation Vulnerability " }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iDRAC ", + "version": { + "version_data": [ + { + "affected": "<", + "version_name": "iDRAC7", + "version_value": "2.61.60.60" + }, + { + "affected": "<", + "version_name": "iDRAC8", + "version_value": "2.61.60.60" + }, + { + "affected": "<", + "version_name": "iDRAC9", + "version_value": "3.20.21.20" + }, + { + "affected": "<", + "version_name": "iDRAC9", + "version_value": "3.21.24.22" + }, + { + "affected": "<", + "version_name": "iDRAC9", + "version_value": "3.21.26.22" + }, + { + "affected": "<", + "version_name": "iDRAC9 ", + "version_value": "3.23.23.23 " + } + ] + } + } + ] + }, + "vendor_name": "Dell EMC" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.8, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege escalation vulnerability. " + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name" : "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en", + "refsource" : "CONFIRM", + "url" : "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } -} +} \ No newline at end of file diff --git a/2018/15xxx/CVE-2018-15776.json b/2018/15xxx/CVE-2018-15776.json index 182b988ccc4..0f0e91262b8 100644 --- a/2018/15xxx/CVE-2018-15776.json +++ b/2018/15xxx/CVE-2018-15776.json @@ -1,18 +1,90 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2018-15776", - "STATE" : "RESERVED" + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2018-12-11T06:00:00.000Z", + "ID": "CVE-2018-15776", + "STATE": "PUBLIC", + "TITLE": "iDRAC7, iDRAC8 - Improper Error Handling " }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iDRAC", + "version": { + "version_data": [ + { + "affected": "<", + "version_name": "iDRAC7", + "version_value": "2.61.60.60" + }, + { + "affected": "<", + "version_name": "iDRAC8", + "version_value": "2.61.60.60" + } + ] + } + } + ] + }, + "vendor_name": "Dell EMC" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to get access to the u-boot shell." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "PHYSICAL", + "availabilityImpact": "HIGH", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Error Handling Vulnerability. " + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name" : "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en", + "refsource" : "CONFIRM", + "url" : "https://www.dell.com/support/article/us/en/19/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776-?lang=en" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} +} \ No newline at end of file