From 89ea61d6b3f80c641576210cd9645a16a035438c Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 9 Nov 2023 17:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2021/45xxx/CVE-2021-45036.json | 193 +++++++++++++++++---------------- 2023/45xxx/CVE-2023-45283.json | 91 +++++++++++++++- 2023/45xxx/CVE-2023-45284.json | 74 ++++++++++++- 2023/45xxx/CVE-2023-45884.json | 56 +++++++++- 2023/45xxx/CVE-2023-45885.json | 56 +++++++++- 2023/46xxx/CVE-2023-46894.json | 56 +++++++++- 6 files changed, 407 insertions(+), 119 deletions(-) diff --git a/2021/45xxx/CVE-2021-45036.json b/2021/45xxx/CVE-2021-45036.json index dbd83a7cb3d..140b5b1e54c 100644 --- a/2021/45xxx/CVE-2021-45036.json +++ b/2021/45xxx/CVE-2021-45036.json @@ -1,15 +1,38 @@ { + "data_version": "4.0", + "data_type": "CVE", + "data_format": "MITRE", "CVE_data_meta": { - "ASSIGNER": "cve-coordination@incibe.es", - "DATE_PUBLIC": "2022-11-23T12:00:00.000Z", "ID": "CVE-2021-45036", - "STATE": "PUBLIC", - "TITLE": "Velneo vClient improper authentication" + "ASSIGNER": "cve-coordination@incibe.es", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "\nVelneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-290 Authentication Bypass by Spoofing", + "cweId": "CWE-290" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "Velneo", "product": { "product_data": [ { @@ -18,117 +41,101 @@ "version_data": [ { "version_affected": "=", - "version_name": "28.1.3", "version_value": "28.1.3" } ] } } ] - }, - "vendor_name": "Velneo" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus" - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "references": { + "reference_data": [ { - "lang": "eng", - "value": "Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server." + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0", + "refsource": "MISC", + "name": "https://www.incibe.es/en/incibe-cert/notices/aviso/velneo-vclient-improper-authentication-0" + }, + { + "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", + "refsource": "MISC", + "name": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32" + }, + { + "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", + "refsource": "MISC", + "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena" + }, + { + "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", + "refsource": "MISC", + "name": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/" + }, + { + "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", + "refsource": "MISC", + "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps" + }, + { + "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", + "refsource": "MISC", + "name": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps" + }, + { + "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", + "refsource": "MISC", + "name": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, - "impact": { - "cvss": { - "attackComplexity": "HIGH", - "attackVector": "NETWORK", - "availabilityImpact": "NONE", - "baseScore": 8.7, - "baseSeverity": "HIGH", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "privilegesRequired": "NONE", - "scope": "CHANGED", - "userInteraction": "NONE", - "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", - "version": "3.1" - } - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-836: use of password hash instead of password for authentication" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "name": "https://www.incibe-cert.es/en/early-warning/security-advisories/velneo-vclient-improper-authentication-0", - "refsource": "CONFIRM", - "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/velneo-vclient-improper-authentication-0" - }, - { - "refsource": "MISC", - "name": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32", - "url": "https://www.velneo.com/blog/disponible-la-nueva-version-velneo-32" - }, - { - "refsource": "MISC", - "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena", - "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#mejoras-de-seguridad-en-validacion-de-usuario-y-contrasena" - }, - { - "refsource": "MISC", - "name": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/", - "url": "https://velneo.es/mivelneo/listado-de-cambios-velneo-32/" - }, - { - "refsource": "MISC", - "name": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps", - "url": "https://doc.velneo.com/v/32/velneo/notas-de-la-version#a-partir-de-esta-version-todos-los-servidores-arrancaran-con-protocolo-vatps" - }, - { - "refsource": "MISC", - "name": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps", - "url": "https://doc.velneo.com/v/32/velneo-vserver/funcionalidades/protocolo-vatps" - }, - { - "refsource": "MISC", - "name": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver", - "url": "https://doc.velneo.com/v/32/velneo/funcionalidades-comunes/conexion-con-velneo-vserver" - } - ] - }, - "solution": [ - { - "lang": "eng", - "value": "This vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022." - } - ], "source": { "advisory": "INCIBE-2022-1017", "defect": [ "INCIBE-2021-0028" ], "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "\n\nThis vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.\n\n" + } + ], + "value": "\nThis vulnerability has been fixed by Velneo team in version 32, released on 11/08/2022.\n\n" + } + ], + "credits": [ + { + "lang": "en", + "value": "Jes\u00fas R\u00f3denas Huerta, @Marmeus" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + ] } } \ No newline at end of file diff --git a/2023/45xxx/CVE-2023-45283.json b/2023/45xxx/CVE-2023-45283.json index 9101b2f26fb..5a05f843062 100644 --- a/2023/45xxx/CVE-2023-45283.json +++ b/2023/45xxx/CVE-2023-45283.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-45283", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-41: Improper Resolution of Path Equivalence" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go standard library", + "product": { + "product_data": [ + { + "product_name": "path/filepath", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.20.11" + }, + { + "version_affected": "<", + "version_name": "1.21.0-0", + "version_value": "1.21.4" + } + ] + } + }, + { + "product_name": "internal/safefilepath", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.20.11" + }, + { + "version_affected": "<", + "version_name": "1.21.0-0", + "version_value": "1.21.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/issue/63713", + "refsource": "MISC", + "name": "https://go.dev/issue/63713" + }, + { + "url": "https://go.dev/cl/540277", + "refsource": "MISC", + "name": "https://go.dev/cl/540277" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2023-2185", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2023-2185" } ] } diff --git a/2023/45xxx/CVE-2023-45284.json b/2023/45xxx/CVE-2023-45284.json index c69afe263d5..ac9c97f2b34 100644 --- a/2023/45xxx/CVE-2023-45284.json +++ b/2023/45xxx/CVE-2023-45284.json @@ -1,17 +1,83 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-45284", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-41: Improper Resolution of Path Equivalence" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go standard library", + "product": { + "product_data": [ + { + "product_name": "path/filepath", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.20.11" + }, + { + "version_affected": "<", + "version_name": "1.21.0-0", + "version_value": "1.21.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/issue/63713", + "refsource": "MISC", + "name": "https://go.dev/issue/63713" + }, + { + "url": "https://go.dev/cl/540277", + "refsource": "MISC", + "name": "https://go.dev/cl/540277" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2023-2186", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2023-2186" } ] } diff --git a/2023/45xxx/CVE-2023-45884.json b/2023/45xxx/CVE-2023-45884.json index 5e5e1cdacb0..7b26fd0dfb5 100644 --- a/2023/45xxx/CVE-2023-45884.json +++ b/2023/45xxx/CVE-2023-45884.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2023-45884", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2023-45884", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the flexibleLayout plugin." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.linkedin.com/pulse/xss-nasas-open-mct-v302-visionspace-technologies-ubg4f", + "url": "https://www.linkedin.com/pulse/xss-nasas-open-mct-v302-visionspace-technologies-ubg4f" } ] } diff --git a/2023/45xxx/CVE-2023-45885.json b/2023/45xxx/CVE-2023-45885.json index 012868753b7..fb5d804de39 100644 --- a/2023/45xxx/CVE-2023-45885.json +++ b/2023/45xxx/CVE-2023-45885.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2023-45885", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2023-45885", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.linkedin.com/pulse/xss-nasas-open-mct-v302-visionspace-technologies-ubg4f", + "url": "https://www.linkedin.com/pulse/xss-nasas-open-mct-v302-visionspace-technologies-ubg4f" } ] } diff --git a/2023/46xxx/CVE-2023-46894.json b/2023/46xxx/CVE-2023-46894.json index 77ef5a596b4..b674a828f5b 100644 --- a/2023/46xxx/CVE-2023-46894.json +++ b/2023/46xxx/CVE-2023-46894.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2023-46894", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2023-46894", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/espressif/esptool/issues/926", + "refsource": "MISC", + "name": "https://github.com/espressif/esptool/issues/926" } ] }