Added CVE-2019-3797,3799

2025-08-04 08:44:25 +00:00 · 2019-05-06 09:49:06 -04:00 · 2019-05-06 09:49:06 -04:00 · b5ef750a88
commit b5ef750a88
parent eb269d172a
2 changed files with 77 additions and 33 deletions
--- a/2019/3xxx/CVE-2019-3797.json
+++ b/2019/3xxx/CVE-2019-3797.json
@ -1,18 +1 @@
-{
-    "CVE_data_meta": {
-        "ASSIGNER": "cve@mitre.org",
-        "ID": "CVE-2019-3797",
-        "STATE": "RESERVED"
-    },
-    "data_format": "MITRE",
-    "data_type": "CVE",
-    "data_version": "4.0",
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
-    }
-}
+{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"secure@dell.com","DATE_PUBLIC":"2019-04-08T00:00:00.000Z","ID":"CVE-2019-3797","STATE":"PUBLIC","TITLE":"Additional information exposure with Spring Data JPA derived queries"},"source":{"discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spring Boot","version":{"version_data":[{"affected":"<","version_name":"2.0","version_value":"v2.0.9.RELEASE"},{"affected":"<","version_name":"1.5","version_value":"v1.5.20.RELEASE"},{"affected":"<","version_name":"2.1","version_value":"v2.1.4.RELEASE"}]}}]},"vendor_name":"Spring"}]}},"description":{"description_data":[{"lang":"eng","value":"This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-89: SQL Injection"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://pivotal.io/security/cve-2019-3797","name":"https://pivotal.io/security/cve-2019-3797"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","version":"3.0"}}}
--- a/2019/3xxx/CVE-2019-3799.json
+++ b/2019/3xxx/CVE-2019-3799.json
@ -1,18 +1,79 @@
 {
-    "CVE_data_meta": {
-        "ASSIGNER": "cve@mitre.org",
-        "ID": "CVE-2019-3799",
-        "STATE": "RESERVED"
-    },
-    "data_format": "MITRE",
-    "data_type": "CVE",
-    "data_version": "4.0",
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
+  "data_type": "CVE",
+  "data_format": "MITRE",
+  "data_version": "4.0",
+  "CVE_data_meta": {
+    "ASSIGNER": "secure@dell.com",
+    "DATE_PUBLIC": "2019-04-17T00:00:00.000Z",
+    "ID": "CVE-2019-3799",
+    "STATE": "PUBLIC",
+    "TITLE": "Directory Traversal with spring-cloud-config-server"
+  },
+  "source": {
+    "discovery": "UNKNOWN"
+  },
+  "affects": {
+    "vendor": {
+      "vendor_data": [
+        {
+          "product": {
+            "product_data": [
+              {
+                "product_name": "Spring Cloud Config",
+                "version": {
+                  "version_data": [
+                    {
+                      "affected": "<",
+                      "version_name": "2.0",
+                      "version_value": "v2.0.4.RELEASE"
+                    },
+                    {
+                      "affected": "<",
+                      "version_name": "1.4",
+                      "version_value": "v1.4.6.RELEASE"
+                    },
+                    {
+                      "affected": "<",
+                      "version_name": "2.1",
+                      "version_value": "v2.1.2.RELEASE"
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          "vendor_name": "Spring"
+        }
+      ]
    }
+  },
+  "description": {
+    "description_data": [
+      {
+        "lang": "eng",
+        "value": "Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack."
+      }
+    ]
+  },
+  "problemtype": {
+    "problemtype_data": [
+      {
+        "description": [
+          {
+            "lang": "eng",
+            "value": "CWE-22: Path Traversal"
+          }
+        ]
+      }
+    ]
+  },
+  "references": {
+    "reference_data": [
+      {
+        "refsource": "CONFIRM",
+        "url": "https://pivotal.io/security/cve-2019-3799",
+        "name": "https://pivotal.io/security/cve-2019-3799"
+      }
+    ]
+  }
 }