From c2a6bea885034ab739e2b9b6dfdac820bc56b0cb Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 17 Dec 2024 23:00:54 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/10xxx/CVE-2024-10973.json | 111 +++++++++++++++++++++++++++++++-- 2024/9xxx/CVE-2024-9779.json | 100 +++++++++++++++++++++++++++-- 2 files changed, 203 insertions(+), 8 deletions(-) diff --git a/2024/10xxx/CVE-2024-10973.json b/2024/10xxx/CVE-2024-10973.json index b2e2ba1fe1d..e2895fe1cf2 100644 --- a/2024/10xxx/CVE-2024-10973.json +++ b/2024/10xxx/CVE-2024-10973.json @@ -1,17 +1,120 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10973", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cleartext Transmission of Sensitive Information", + "cweId": "CWE-319" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Red Hat", + "product": { + "product_data": [ + { + "product_name": "Red Hat Build of Keycloak", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "unaffected" + } + } + ] + } + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 8", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "unaffected" + } + } + ] + } + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2024-10973", + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2024-10973" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324361", + "refsource": "MISC", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2324361" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Red Hat would like to thank philliphnguyen for reporting this issue." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/9xxx/CVE-2024-9779.json b/2024/9xxx/CVE-2024-9779.json index d90f97234eb..ee860fcb645 100644 --- a/2024/9xxx/CVE-2024-9779.json +++ b/2024/9xxx/CVE-2024-9779.json @@ -1,17 +1,109 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-9779", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name \"cluster-manager\" which is bound to a ClusterRole also named \"cluster-manager\", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Trust Boundary Violation", + "cweId": "CWE-501" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Red Hat", + "product": { + "product_data": [ + { + "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2024-9779", + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2024-9779" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317916", + "refsource": "MISC", + "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2317916" + }, + { + "url": "https://github.com/open-cluster-management-io/ocm/pull/325", + "refsource": "MISC", + "name": "https://github.com/open-cluster-management-io/ocm/pull/325" + }, + { + "url": "https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0", + "refsource": "MISC", + "name": "https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0" + }, + { + "url": "https://github.com/open-cluster-management-io/registration-operator/issues/361", + "refsource": "MISC", + "name": "https://github.com/open-cluster-management-io/registration-operator/issues/361" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Red Hat would like to thank Nanzi Yang and Xingyu Liu for reporting this issue." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", + "version": "3.1" } ] }