From bf80c9484b268a3bb1e66171acbde9ee7c1e7aca Mon Sep 17 00:00:00 2001 From: CVE Team Date: Fri, 7 Feb 2025 08:00:32 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2025/22xxx/CVE-2025-22880.json | 92 ++++++++++++++++++++++++++++++++-- 2025/23xxx/CVE-2025-23085.json | 79 +++++++++++++++++++++++++++-- 2 files changed, 163 insertions(+), 8 deletions(-) diff --git a/2025/22xxx/CVE-2025-22880.json b/2025/22xxx/CVE-2025-22880.json index b4a48db040f..2635943b950 100644 --- a/2025/22xxx/CVE-2025-22880.json +++ b/2025/22xxx/CVE-2025-22880.json @@ -1,17 +1,101 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-22880", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "Delta.PSIRT@deltaww.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-122 Heap-based Buffer Overflow", + "cweId": "CWE-122" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Delta Electronics", + "product": { + "product_data": [ + { + "product_name": "CNCSoft-G2", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "2.1.0.20" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00002_CNCSoft-G2%20-%20Heap-based%20Buffer%20Overflow_v1.pdf", + "refsource": "MISC", + "name": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00002_CNCSoft-G2%20-%20Heap-based%20Buffer%20Overflow_v1.pdf" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Delta Electronics recommends users update to CNCSoft-G2 V2.1.0.20 or later.\n\n
" + } + ], + "value": "Delta Electronics recommends users update to CNCSoft-G2 V2.1.0.20 https://downloadcenter.deltaww.com/en-US/DownloadCenter \u00a0or later." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/23xxx/CVE-2025-23085.json b/2025/23xxx/CVE-2025-23085.json index fdeea3ada10..792da94e32d 100644 --- a/2025/23xxx/CVE-2025-23085.json +++ b/2025/23xxx/CVE-2025-23085.json @@ -1,17 +1,88 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-23085", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "support@hackerone.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\r\n\r\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "nodejs", + "product": { + "product_data": [ + { + "product_name": "node", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "18.20.5", + "version_value": "18.20.5" + }, + { + "version_affected": "<=", + "version_name": "20.18.1", + "version_value": "20.18.1" + }, + { + "version_affected": "<=", + "version_name": "22.13.0", + "version_value": "22.13.0" + }, + { + "version_affected": "<=", + "version_name": "23.6.0", + "version_value": "23.6.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases", + "refsource": "MISC", + "name": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases" + } + ] + }, + "impact": { + "cvss": [ + { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" } ] }