admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-08 22:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Synchronized data.

Browse Source
This commit is contained in:
CVE Team 2018-11-28 12:40:03 -05:00
parent f55f7e22d5
commit 9d0c2d7443
No known key found for this signature in database
GPG Key ID: 0DA1F9F56BC892E8
8 changed files with 118 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
2018/12xxx/CVE-2018-12116.json
View File

@ -34,7 +34,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
"value" : "Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server."
}
]
},
@ -53,6 +53,8 @@
"references" : {
"reference_data" : [
{
"name" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource" : "CONFIRM",
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]

4
2018/12xxx/CVE-2018-12120.json
View File

@ -34,7 +34,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
"value" : "Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable."
}
]
},
@ -53,6 +53,8 @@
"references" : {
"reference_data" : [
{
"name" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource" : "CONFIRM",
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]

4
2018/12xxx/CVE-2018-12121.json
View File

@ -34,7 +34,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
"value" : "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
]
},
@ -53,6 +53,8 @@
"references" : {
"reference_data" : [
{
"name" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource" : "CONFIRM",
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]

4
2018/12xxx/CVE-2018-12122.json
View File

@ -34,7 +34,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
"value" : "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time."
}
]
},
@ -53,6 +53,8 @@
"references" : {
"reference_data" : [
{
"name" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource" : "CONFIRM",
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]

4
2018/12xxx/CVE-2018-12123.json
View File

@ -34,7 +34,7 @@
"description_data" : [
{
"lang" : "eng",
"value" : "Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
"value" : "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect."
}
]
},
@ -53,6 +53,8 @@
"references" : {
"reference_data" : [
{
"name" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource" : "CONFIRM",
"url" : "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
}
]

5
2018/19xxx/CVE-2018-19518.json
View File

@ -97,6 +97,11 @@
"refsource" : "MISC",
"url" : "https://www.openwall.com/lists/oss-security/2018/11/22/3"
},
{
"name" : "https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb",
"refsource" : "CONFIRM",
"url" : "https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb"
},
{
"name" : "106018",
"refsource" : "BID",

62
2018/19xxx/CVE-2018-19646.json Normal file
View File

@ -0,0 +1,62 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ID" : "CVE-2018-19646",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "n/a",
"version" : {
"version_data" : [
{
"version_value" : "n/a"
}
]
}
}
]
},
"vendor_name" : "n/a"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "The Python CGI scripts in PWS in Imperva SecureSphere 13.0.10, 13.1.10, and 13.2.10 allow remote attackers to execute arbitrary OS commands because command-line arguments are mishandled."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "n/a"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "45542",
"refsource" : "EXPLOIT-DB",
"url" : "https://www.exploit-db.com/exploits/45542"
}
]
}
}

74
2018/1xxx/CVE-2018-1584.json
View File

@ -1,90 +1,88 @@
{
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"value" : "Cross-Site Scripting",
"lang" : "eng"
}
]
}
]
"CVE_data_meta" : {
"ASSIGNER" : "psirt@us.ibm.com",
"DATE_PUBLIC" : "2018-11-26T00:00:00",
"ID" : "CVE-2018-1584",
"STATE" : "PUBLIC"
},
"data_version" : "4.0",
"affects" : {
"vendor" : {
"vendor_data" : [
{
"vendor_name" : "IBM",
"product" : {
"product_data" : [
{
"product_name" : "Maximo Asset Management",
"version" : {
"version_data" : [
{
"version_value" : "7.6"
}
]
},
"product_name" : "Maximo Asset Management"
}
}
]
}
},
"vendor_name" : "IBM"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"value" : "IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 143497.",
"lang" : "eng"
"lang" : "eng",
"value" : "IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 143497."
}
]
},
"CVE_data_meta" : {
"DATE_PUBLIC" : "2018-11-26T00:00:00",
"ID" : "CVE-2018-1584",
"ASSIGNER" : "psirt@us.ibm.com",
"STATE" : "PUBLIC"
},
"impact" : {
"cvssv3" : {
"BM" : {
"I" : "L",
"SCORE" : "5.400",
"S" : "C",
"AC" : "L",
"C" : "L",
"A" : "N",
"AC" : "L",
"AV" : "N",
"C" : "L",
"I" : "L",
"PR" : "L",
"S" : "C",
"SCORE" : "5.400",
"UI" : "R"
},
"TM" : {
"RL" : "O",
"E" : "H",
"RC" : "C",
"E" : "H"
"RL" : "O"
}
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Cross-Site Scripting"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://www.ibm.com/support/docview.wss?uid=ibm10741821",
"refsource" : "CONFIRM",
"url" : "https://www.ibm.com/support/docview.wss?uid=ibm10741821",
"title" : "IBM Security Bulletin 741821 (Maximo Asset Management)"
"url" : "https://www.ibm.com/support/docview.wss?uid=ibm10741821"
},
{
"name" : "ibm-maximo-cve20181584-xss(143497)",
"refsource" : "XF",
"name" : "ibm-maximo-cve20181584-xss (143497)",
"url" : "https://exchange.xforce.ibmcloud.com/vulnerabilities/143497",
"title" : "X-Force Vulnerability Report"
"url" : "https://exchange.xforce.ibmcloud.com/vulnerabilities/143497"
}
]
},
"data_type" : "CVE"
}
}