diff --git a/2023/36xxx/CVE-2023-36549.json b/2023/36xxx/CVE-2023-36549.json
index 000d74507fe..6ca4167d303 100644
--- a/2023/36xxx/CVE-2023-36549.json
+++ b/2023/36xxx/CVE-2023-36549.json
@@ -70,7 +70,7 @@
"solution": [
{
"lang": "en",
- "value": "Please upgrade to FortiWLM version 8.6.6 or above Please upgrade to FortiWLM version 8.5.5 or above "
+ "value": "Please upgrade to FortiWLM version 8.6.6 or above \nPlease upgrade to FortiWLM version 8.5.5 or above \n"
}
],
"impact": {
@@ -81,7 +81,7 @@
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
- "baseSeverity": "CRITICAL",
+ "baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
diff --git a/2023/52xxx/CVE-2023-52291.json b/2023/52xxx/CVE-2023-52291.json
index bff1319a983..9b9b6aee40e 100644
--- a/2023/52xxx/CVE-2023-52291.json
+++ b/2023/52xxx/CVE-2023-52291.json
@@ -59,6 +59,11 @@
"url": "https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf",
"refsource": "MISC",
"name": "https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf"
+ },
+ {
+ "url": "http://www.openwall.com/lists/oss-security/2024/07/17/1",
+ "refsource": "MISC",
+ "name": "http://www.openwall.com/lists/oss-security/2024/07/17/1"
}
]
},
diff --git a/2023/7xxx/CVE-2023-7272.json b/2023/7xxx/CVE-2023-7272.json
new file mode 100644
index 00000000000..ef04eab4648
--- /dev/null
+++ b/2023/7xxx/CVE-2023-7272.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2023-7272",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2024/23xxx/CVE-2024-23465.json b/2024/23xxx/CVE-2024-23465.json
index d53405da0f5..81c1dc10689 100644
--- a/2024/23xxx/CVE-2024-23465.json
+++ b/2024/23xxx/CVE-2024-23465.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23465",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. \u00a0 "
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-287 Improper Authentication",
+ "cweId": "CWE-287"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "HIGH",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 8.3,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23466.json b/2024/23xxx/CVE-2024-23466.json
index 200255b64d0..5fffa4d9046 100644
--- a/2024/23xxx/CVE-2024-23466.json
+++ b/2024/23xxx/CVE-2024-23466.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23466",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. "
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23467.json b/2024/23xxx/CVE-2024-23467.json
index 47f02662a97..9f99666b160 100644
--- a/2024/23xxx/CVE-2024-23467.json
+++ b/2024/23xxx/CVE-2024-23467.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23467",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23468.json b/2024/23xxx/CVE-2024-23468.json
index 6d2d1168e4e..65e5ef3ddcb 100644
--- a/2024/23xxx/CVE-2024-23468.json
+++ b/2024/23xxx/CVE-2024-23468.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23468",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n
"
+ }
+ ],
+ "value": "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.6,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23469.json b/2024/23xxx/CVE-2024-23469.json
index a53a6fd04c6..238678a5850 100644
--- a/2024/23xxx/CVE-2024-23469.json
+++ b/2024/23xxx/CVE-2024-23469.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23469",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. "
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-20 Improper Input Validation",
+ "cweId": "CWE-20"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23470.json b/2024/23xxx/CVE-2024-23470.json
index 242fdd331ad..b81646a209d 100644
--- a/2024/23xxx/CVE-2024-23470.json
+++ b/2024/23xxx/CVE-2024-23470.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23470",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. "
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-287 Improper Authentication",
+ "cweId": "CWE-287"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23471.json b/2024/23xxx/CVE-2024-23471.json
index 46477241416..e81c5fa9b97 100644
--- a/2024/23xxx/CVE-2024-23471.json
+++ b/2024/23xxx/CVE-2024-23471.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23471",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. "
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-287 Improper Authentication",
+ "cweId": "CWE-287"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n
"
+ }
+ ],
+ "value": "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23472.json b/2024/23xxx/CVE-2024-23472.json
index ec6105f2e56..ab187de156c 100644
--- a/2024/23xxx/CVE-2024-23472.json
+++ b/2024/23xxx/CVE-2024-23472.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23472",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23474.json b/2024/23xxx/CVE-2024-23474.json
index 4012bbecc4e..21a9df03f92 100644
--- a/2024/23xxx/CVE-2024-23474.json
+++ b/2024/23xxx/CVE-2024-23474.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23474",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.6,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/23xxx/CVE-2024-23475.json b/2024/23xxx/CVE-2024-23475.json
index baf3f3a9e0d..4b2cdc02797 100644
--- a/2024/23xxx/CVE-2024-23475.json
+++ b/2024/23xxx/CVE-2024-23475.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23475",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/28xxx/CVE-2024-28074.json b/2024/28xxx/CVE-2024-28074.json
index a6f4cd3e6e3..48dd2c638b6 100644
--- a/2024/28xxx/CVE-2024-28074.json
+++ b/2024/28xxx/CVE-2024-28074.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-28074",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-502 Deserialization of Untrusted Data",
+ "cweId": "CWE-502"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Anonymous working with Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.6,
+ "baseSeverity": "CRITICAL",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "privilegesRequired": "NONE",
+ "scope": "CHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/28xxx/CVE-2024-28992.json b/2024/28xxx/CVE-2024-28992.json
index 577225c5786..ea3f7439cea 100644
--- a/2024/28xxx/CVE-2024-28992.json
+++ b/2024/28xxx/CVE-2024-28992.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-28992",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-287 Improper Authentication",
+ "cweId": "CWE-287"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.6,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/28xxx/CVE-2024-28993.json b/2024/28xxx/CVE-2024-28993.json
index 7da8f2320ef..7c70fe85ac3 100644
--- a/2024/28xxx/CVE-2024-28993.json
+++ b/2024/28xxx/CVE-2024-28993.json
@@ -1,17 +1,116 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-28993",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "psirt@solarwinds.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "cweId": "CWE-22"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "SolarWinds",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Access Rights Manager",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "not down converted",
+ "x_cve_json_5_version_data": {
+ "versions": [
+ {
+ "lessThanOrEqual": "2023.2.4",
+ "status": "affected",
+ "version": "previous versions",
+ "versionType": "2024.3"
+ }
+ ],
+ "defaultStatus": "affected"
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm",
+ "refsource": "MISC",
+ "name": "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3
"
+ }
+ ],
+ "value": "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "attackComplexity": "LOW",
+ "attackVector": "ADJACENT_NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.6,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ "version": "3.1"
}
]
}
diff --git a/2024/29xxx/CVE-2024-29120.json b/2024/29xxx/CVE-2024-29120.json
index 57809c5a3bc..b0b12d57f88 100644
--- a/2024/29xxx/CVE-2024-29120.json
+++ b/2024/29xxx/CVE-2024-29120.json
@@ -1,18 +1,77 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-29120",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "security@apache.org",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
+ "cweId": "CWE-212"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache StreamPark",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "2.0.0",
+ "version_value": "2.1.4"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j",
+ "refsource": "MISC",
+ "name": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "credits": [
+ {
+ "lang": "en",
+ "value": "L0ne1y"
+ }
+ ]
}
\ No newline at end of file
diff --git a/2024/29xxx/CVE-2024-29737.json b/2024/29xxx/CVE-2024-29737.json
index 7948ff24a27..57ea5b30822 100644
--- a/2024/29xxx/CVE-2024-29737.json
+++ b/2024/29xxx/CVE-2024-29737.json
@@ -59,6 +59,11 @@
"url": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5",
"refsource": "MISC",
"name": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5"
+ },
+ {
+ "url": "http://www.openwall.com/lists/oss-security/2024/07/17/2",
+ "refsource": "MISC",
+ "name": "http://www.openwall.com/lists/oss-security/2024/07/17/2"
}
]
},
diff --git a/2024/41xxx/CVE-2024-41177.json b/2024/41xxx/CVE-2024-41177.json
new file mode 100644
index 00000000000..ea1e5c036f2
--- /dev/null
+++ b/2024/41xxx/CVE-2024-41177.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2024-41177",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2024/6xxx/CVE-2024-6833.json b/2024/6xxx/CVE-2024-6833.json
new file mode 100644
index 00000000000..4c2d2458661
--- /dev/null
+++ b/2024/6xxx/CVE-2024-6833.json
@@ -0,0 +1,108 @@
+{
+ "data_version": "4.0",
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "CVE_data_meta": {
+ "ID": "CVE-2024-6833",
+ "ASSIGNER": "zowe-security@lists.openmainframeproject.org",
+ "STATE": "PUBLIC"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-257: Storing Passwords in a Recoverable Format"
+ }
+ ]
+ },
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-313: Cleartext Storage in a File or on Disk"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Open Mainframe Project",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Zowe",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "7.18.0",
+ "version_value": "7.23.5"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/zowe/zowe-cli/",
+ "refsource": "MISC",
+ "name": "https://github.com/zowe/zowe-cli/"
+ }
+ ]
+ },
+ "exploit": [
+ {
+ "lang": "en",
+ "value": "There are no known exploits of this issue."
+ }
+ ],
+ "solution": [
+ {
+ "lang": "en",
+ "value": "This issue is fixed in Zowe CLI 7.23.5 or later, included as part of Zowe 2.16.0 or later."
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Broadcom Inc."
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "baseScore": 5.9,
+ "baseSeverity": "MEDIUM",
+ "version": "3.1",
+ "attackVector": "LOCAL",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "LOW",
+ "userInteraction": "REQUIRED",
+ "scope": "CHANGED",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "NONE",
+ "availabilityImpact": "NONE",
+ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:M/IR:X/AR:X/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:N/MA:N"
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2024/6xxx/CVE-2024-6834.json b/2024/6xxx/CVE-2024-6834.json
new file mode 100644
index 00000000000..7f6bd0cf0ca
--- /dev/null
+++ b/2024/6xxx/CVE-2024-6834.json
@@ -0,0 +1,104 @@
+{
+ "data_version": "4.0",
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "CVE_data_meta": {
+ "ID": "CVE-2024-6834",
+ "ASSIGNER": "zowe-security@lists.openmainframeproject.org",
+ "STATE": "PUBLIC"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A vulnerability in APIML Spring Cloud Gateway which leverages user privileges by unexpected signing proxied request by Zowe's client certificate. This allows access to a user to the endpoints requiring an internal client certificate without any credentials. It could lead to managing components in there and allow an attacker to handle the whole communication including user credentials."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Open Mainframe Project",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Zowe",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "2.4.0",
+ "version_value": "2.14.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://github.com/zowe/api-layer",
+ "refsource": "MISC",
+ "name": "https://github.com/zowe/api-layer"
+ }
+ ]
+ },
+ "exploit": [
+ {
+ "lang": "en",
+ "value": "There are no known exploits of this issue however exploits targeting this issue are publicly available."
+ }
+ ],
+ "solution": [
+ {
+ "lang": "en",
+ "value": "This issue is fixed in the APIML 2.14.4 (Zowe 2.14) and later. Fixed by https://github.com/zowe/api-layer/pull/3203 and https://github.com/zowe/api-layer/pull/3273"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Pavel Jares"
+ },
+ {
+ "lang": "en",
+ "value": "Andrej Chmelo"
+ }
+ ],
+ "impact": {
+ "cvss": [
+ {
+ "baseScore": 9,
+ "baseSeverity": "CRITICAL",
+ "version": "3.1",
+ "attackVector": "LOCAL",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "LOW",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "NONE",
+ "availabilityImpact": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:T/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H"
+ }
+ ]
+ }
+}
\ No newline at end of file