diff --git a/2016/9xxx/CVE-2016-9880.json b/2016/9xxx/CVE-2016-9880.json index 32ab68dc717..62f460b4f72 100644 --- a/2016/9xxx/CVE-2016-9880.json +++ b/2016/9xxx/CVE-2016-9880.json @@ -38,7 +38,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "The GemFire broker for Cloud Foundry has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker." + "value" : "The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker." } ] }, diff --git a/2017/14xxx/CVE-2017-14384.json b/2017/14xxx/CVE-2017-14384.json index eee87ea8cc8..a8e3ae3507b 100644 --- a/2017/14xxx/CVE-2017-14384.json +++ b/2017/14xxx/CVE-2017-14384.json @@ -35,7 +35,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Resolved a directory traversal vulnerability (CVE-2017-14384). In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMigration service is affected by a directory traversal vulnerability. A remote malicious user could potentially exploit this vulnerability to read unauthorized files by supplying specially crafted strings in input parameters of the application. A malicious user cannot delete or modify any files via this vulnerability." + "value" : "In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMigration service is affected by a directory traversal vulnerability. A remote malicious user could potentially exploit this vulnerability to read unauthorized files by supplying specially crafted strings in input parameters of the application. A malicious user cannot delete or modify any files via this vulnerability." } ] }, diff --git a/2017/8xxx/CVE-2017-8013.json b/2017/8xxx/CVE-2017-8013.json index 75d92abc757..86ea048d0ae 100644 --- a/2017/8xxx/CVE-2017-8013.json +++ b/2017/8xxx/CVE-2017-8013.json @@ -38,7 +38,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "EMC Data Protection Advisor contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: \"Apollo System Test\", \"emc.dpa.agent.logon\" and \"emc.dpa.metrics.logon\". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges)." + "value" : "EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: \"Apollo System Test\", \"emc.dpa.agent.logon\" and \"emc.dpa.metrics.logon\". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges)." } ] }, diff --git a/2018/1xxx/CVE-2018-1078.json b/2018/1xxx/CVE-2018-1078.json index 18ff41f2df4..be38d48b217 100644 --- a/2018/1xxx/CVE-2018-1078.json +++ b/2018/1xxx/CVE-2018-1078.json @@ -1,62 +1,62 @@ { - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "CVE_data_meta": { - "ASSIGNER": "secalert@redhat.com", - "DATE_ASSIGNED": "2018-03-14", - "ID": "CVE-2018-1078", - "REQUESTER": "kseifried@redhat.com", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "vendor_name": "OpenDayLight", - "product": { - "product_data": [ - { - "product_name": "OpenDayLight", - "version": { - "version_data": [ - { - "version_value": "Carbon SR3" - } + "CVE_data_meta" : { + "ASSIGNER" : "secalert@redhat.com", + "DATE_ASSIGNED" : "2018-03-14", + "ID" : "CVE-2018-1078", + "REQUESTER" : "kseifried@redhat.com", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "OpenDayLight", + "version" : { + "version_data" : [ + { + "version_value" : "Carbon SR3" + } + ] + } + } ] - } - } - ] - } - } + }, + "vendor_name" : "OpenDayLight" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired." + } ] - } - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired. " - } - ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-20" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "url": "https://jira.opendaylight.org/browse/OPNFLWPLUG-971" - } - ] - } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-20" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "url" : "https://jira.opendaylight.org/browse/OPNFLWPLUG-971" + } + ] + } } diff --git a/2018/1xxx/CVE-2018-1199.json b/2018/1xxx/CVE-2018-1199.json index c4b2317df94..2dea50a0422 100644 --- a/2018/1xxx/CVE-2018-1199.json +++ b/2018/1xxx/CVE-2018-1199.json @@ -41,7 +41,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed." + "value" : "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed." } ] }, diff --git a/2018/1xxx/CVE-2018-1200.json b/2018/1xxx/CVE-2018-1200.json index a080a3bd888..7b35f4a6ffa 100644 --- a/2018/1xxx/CVE-2018-1200.json +++ b/2018/1xxx/CVE-2018-1200.json @@ -35,7 +35,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Apps Manager for PCF allows unprivileged remote file read in its container via specially-crafted links." + "value" : "Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links." } ] },