admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-08-24 02:00:33 +00:00
parent d4edcdae7d
commit c3f3995310
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
3 changed files with 236 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
2023/32xxx/CVE-2023-32559.json
View File

@ -1,17 +1,73 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-32559",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "support@hackerone.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Node.js",
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "20.5.0",
"version_value": "20.5.0"
},
{
"version_affected": "<=",
"version_name": "18.17.0",
"version_value": "18.17.0"
},
{
"version_affected": "<=",
"version_name": "16.20.1",
"version_value": "16.20.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://hackerone.com/reports/1946470",
"refsource": "MISC",
"name": "https://hackerone.com/reports/1946470"
}
]
}

90
2023/40xxx/CVE-2023-40572.json
View File

@ -1,17 +1,99 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-40572",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)",
"cweId": "CWE-352"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "xwiki",
"product": {
"product_data": [
{
"product_name": "xwiki-platform",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 3.2-milestone-3, < 14.10.9"
},
{
"version_affected": "=",
"version_value": ">= 15.0-rc-1, < 15.4-rc-1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m",
"refsource": "MISC",
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m"
},
{
"url": "https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7",
"refsource": "MISC",
"name": "https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7"
},
{
"url": "https://jira.xwiki.org/browse/XWIKI-20849",
"refsource": "MISC",
"name": "https://jira.xwiki.org/browse/XWIKI-20849"
}
]
},
"source": {
"advisory": "GHSA-4f8m-7h83-9f6m",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
}

94
2023/40xxx/CVE-2023-40573.json
View File

@ -1,17 +1,103 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-40573",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. If the attack is successful, an error log entry with \"Job content executed\" will be produced. This vulnerability has been patched in XWiki 14.10.9 and 15.4RC1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "xwiki",
"product": {
"product_data": [
{
"product_name": "xwiki-platform",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 14.10.9"
},
{
"version_affected": "=",
"version_value": ">= 1.3"
},
{
"version_affected": "=",
"version_value": ">= 15.0-rc-1, < 15.4-rc-1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj",
"refsource": "MISC",
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj"
},
{
"url": "https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662",
"refsource": "MISC",
"name": "https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662"
},
{
"url": "https://jira.xwiki.org/browse/XWIKI-20852",
"refsource": "MISC",
"name": "https://jira.xwiki.org/browse/XWIKI-20852"
}
]
},
"source": {
"advisory": "GHSA-8xhr-x3v8-rghj",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
}