diff --git a/2016/3xxx/CVE-2016-3189.json b/2016/3xxx/CVE-2016-3189.json index ce5e3de64a0..535532ff83c 100644 --- a/2016/3xxx/CVE-2016-3189.json +++ b/2016/3xxx/CVE-2016-3189.json @@ -161,16 +161,6 @@ "refsource": "MLIST", "name": "[kafka-jira] 20210729 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", "url": "https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c@%3Cjira.kafka.apache.org%3E" - }, - { - "refsource": "MLIST", - "name": "[kafka-jira] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "url": "https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305@%3Cjira.kafka.apache.org%3E" - }, - { - "refsource": "MLIST", - "name": "[kafka-dev] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "url": "https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af@%3Cdev.kafka.apache.org%3E" } ] } diff --git a/2021/37xxx/CVE-2021-37578.json b/2021/37xxx/CVE-2021-37578.json index 335dfad1997..017b4ec6bb7 100644 --- a/2021/37xxx/CVE-2021-37578.json +++ b/2021/37xxx/CVE-2021-37578.json @@ -1,18 +1,95 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@apache.org", "ID": "CVE-2021-37578", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Remote code execution via RMI" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache jUDDI", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "3.3.10" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported by Artem Smotrakov" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "moderate" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502 Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E", + "name": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20210728 [SECURITY] CVE-2021-37578 Apache jUDDI Remote code execution", + "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1" + } + ] + }, + "source": { + "defect": [ + "JUDDI-1018" + ], + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "For the jUDDI service web application, RMI and JNDI service registration is disabled by default. If it was enabled by the system owner, disable it.\n\nFor jUDDI Clients, do not use RMI Transports. This is an opt-in feature and is not typically used." + } + ] } \ No newline at end of file diff --git a/2021/37xxx/CVE-2021-37601.json b/2021/37xxx/CVE-2021-37601.json index c3b4e657e64..f4bc436670c 100644 --- a/2021/37xxx/CVE-2021-37601.json +++ b/2021/37xxx/CVE-2021-37601.json @@ -61,11 +61,6 @@ "url": "https://prosody.im/", "refsource": "MISC", "name": "https://prosody.im/" - }, - { - "refsource": "MLIST", - "name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)", - "url": "http://www.openwall.com/lists/oss-security/2021/07/28/4" } ] },