Merge branch 'master' of github.com:CVEProject/cvelist

2025-06-19 17:32:41 +00:00 · 2017-11-22 12:29:42 -05:00 · 2017-11-22 12:29:42 -05:00 · b8f49f7601
commit b8f49f7601
parent afa4d51146 cf85d47d7d
3 changed files with 96 additions and 7 deletions
--- a/2017/15xxx/CVE-2017-15098.json
+++ b/2017/15xxx/CVE-2017-15098.json
@ -1,8 +1,32 @@
 {
   "CVE_data_meta" : {
-      "ASSIGNER" : "cve@mitre.org",
+      "ASSIGNER" : "secalert@redhat.com",
+      "DATE_PUBLIC" : "2017-11-09T00:00:00",
      "ID" : "CVE-2017-15098",
-      "STATE" : "RESERVED"
+      "STATE" : "PUBLIC"
+   },
+   "affects" : {
+      "vendor" : {
+         "vendor_data" : [
+            {
+               "product" : {
+                  "product_data" : [
+                     {
+                        "product_name" : "postgresql",
+                        "version" : {
+                           "version_data" : [
+                              {
+                                 "version_value" : "10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name" : "Red Hat, Inc."
+            }
+         ]
+      }
   },
   "data_format" : "MITRE",
   "data_type" : "CVE",
@ -11,7 +35,29 @@
      "description_data" : [
         {
            "lang" : "eng",
-            "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+            "value" : "Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory."
+         }
+      ]
+   },
+   "problemtype" : {
+      "problemtype_data" : [
+         {
+            "description" : [
+               {
+                  "lang" : "eng",
+                  "value" : "CWE-200"
+               }
+            ]
+         }
+      ]
+   },
+   "references" : {
+      "reference_data" : [
+         {
+            "url" : "https://www.postgresql.org/support/security/"
+         },
+         {
+            "url" : "https://www.postgresql.org/about/news/1801/"
         }
      ]
   }
--- a/2017/15xxx/CVE-2017-15099.json
+++ b/2017/15xxx/CVE-2017-15099.json
@ -1,8 +1,32 @@
 {
   "CVE_data_meta" : {
-      "ASSIGNER" : "cve@mitre.org",
+      "ASSIGNER" : "secalert@redhat.com",
+      "DATE_PUBLIC" : "2017-11-09T00:00:00",
      "ID" : "CVE-2017-15099",
-      "STATE" : "RESERVED"
+      "STATE" : "PUBLIC"
+   },
+   "affects" : {
+      "vendor" : {
+         "vendor_data" : [
+            {
+               "product" : {
+                  "product_data" : [
+                     {
+                        "product_name" : "postgresql",
+                        "version" : {
+                           "version_data" : [
+                              {
+                                 "version_value" : "10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name" : "Red Hat, Inc."
+            }
+         ]
+      }
   },
   "data_format" : "MITRE",
   "data_type" : "CVE",
@ -11,7 +35,26 @@
      "description_data" : [
         {
            "lang" : "eng",
-            "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+            "value" : "INSERT ... ON CONFLICT DO UPDATE commands disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege."
+         }
+      ]
+   },
+   "problemtype" : {
+      "problemtype_data" : [
+         {
+            "description" : [
+               {
+                  "lang" : "eng",
+                  "value" : "CWE-200"
+               }
+            ]
+         }
+      ]
+   },
+   "references" : {
+      "reference_data" : [
+         {
+            "url" : "https://www.postgresql.org/support/security/"
         }
      ]
   }
--- a/2017/16xxx/CVE-2017-16894.json
+++ b/2017/16xxx/CVE-2017-16894.json
@ -34,7 +34,7 @@
      "description_data" : [
         {
            "lang" : "eng",
-            "value" : "In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. The writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php does not restrict the .env permissions."
+            "value" : "In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework."
         }
      ]
   },