From c565901ad4c7b88fb0a63970e2053ccc44f3548c Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 29 Feb 2024 11:00:32 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2024/1xxx/CVE-2024-1942.json | 137 +++++++++++++++++++++++++++++- 2024/1xxx/CVE-2024-1949.json | 129 ++++++++++++++++++++++++++++- 2024/1xxx/CVE-2024-1952.json | 119 +++++++++++++++++++++++++- 2024/1xxx/CVE-2024-1953.json | 147 ++++++++++++++++++++++++++++++++- 2024/23xxx/CVE-2024-23897.json | 29 ++++--- 2024/23xxx/CVE-2024-23898.json | 29 ++++--- 2024/2xxx/CVE-2024-2003.json | 18 ++++ 7 files changed, 568 insertions(+), 40 deletions(-) create mode 100644 2024/2xxx/CVE-2024-2003.json diff --git a/2024/1xxx/CVE-2024-1942.json b/2024/1xxx/CVE-2024-1942.json index 69653d1eb1b..49d1875c306 100644 --- a/2024/1xxx/CVE-2024-1942.json +++ b/2024/1xxx/CVE-2024-1942.json @@ -1,17 +1,146 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1942", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "responsibledisclosure@mattermost.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284: Improper Access Control", + "cweId": "CWE-284" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Mattermost", + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "lessThanOrEqual": "9.2.4", + "status": "affected", + "version": "9.2.0", + "versionType": "semver" + }, + { + "lessThanOrEqual": "8.1.8", + "status": "affected", + "version": "8.1.0", + "versionType": "semver" + }, + { + "status": "affected", + "version": "9.3.0" + }, + { + "status": "unaffected", + "version": "9.4" + }, + { + "status": "unaffected", + "version": "9.3.1" + }, + { + "status": "unaffected", + "version": "9.2.5" + }, + { + "status": "unaffected", + "version": "8.1.9" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://mattermost.com/security-updates", + "refsource": "MISC", + "name": "https://mattermost.com/security-updates" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "advisory": "MMSA-2023-00283", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-55495" + ], + "discovery": "INTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.

" + } + ], + "value": "Update Mattermost Server to versions 9.4, 9.3.1, 9.2.5, 8.1.9 or higher.\n\n" + } + ], + "credits": [ + { + "lang": "en", + "value": "Juho Nurminen" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/1xxx/CVE-2024-1949.json b/2024/1xxx/CVE-2024-1949.json index bba1414163e..57208ca19f9 100644 --- a/2024/1xxx/CVE-2024-1949.json +++ b/2024/1xxx/CVE-2024-1949.json @@ -1,17 +1,138 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1949", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "responsibledisclosure@mattermost.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Mattermost", + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "lessThanOrEqual": "8.1.8", + "status": "affected", + "version": "8.1.0", + "versionType": "semver" + }, + { + "lessThanOrEqual": "9.4.1", + "status": "affected", + "version": "9.4.0", + "versionType": "semver" + }, + { + "status": "unaffected", + "version": "9.5" + }, + { + "status": "unaffected", + "version": "9.4.2" + }, + { + "status": "unaffected", + "version": "8.1.9" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://mattermost.com/security-updates", + "refsource": "MISC", + "name": "https://mattermost.com/security-updates" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "advisory": "MMSA-2023-00267", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-53642" + ], + "discovery": "INTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.

" + } + ], + "value": "Update Mattermost Server to versions 9.5 ( 2024), 9.4.2, 8.1.9 or higher.\n\n" + } + ], + "credits": [ + { + "lang": "en", + "value": "Agniva De Sarker" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 2.6, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/1xxx/CVE-2024-1952.json b/2024/1xxx/CVE-2024-1952.json index 78539320378..502ea6d5df0 100644 --- a/2024/1xxx/CVE-2024-1952.json +++ b/2024/1xxx/CVE-2024-1952.json @@ -1,17 +1,128 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1952", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "responsibledisclosure@mattermost.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Mattermost", + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "lessThanOrEqual": "8.1.8", + "status": "affected", + "version": "8.1.0", + "versionType": "semver" + }, + { + "status": "unaffected", + "version": "9.4" + }, + { + "status": "unaffected", + "version": "8.1.9" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://mattermost.com/security-updates", + "refsource": "MISC", + "name": "https://mattermost.com/security-updates" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "advisory": "MMSA-2023-00265", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-53180" + ], + "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update Mattermost Server to versions 9.4, 8.1.9 or higher.

" + } + ], + "value": "Update Mattermost Server to versions 9.4, 8.1.9 or higher.\n\n" + } + ], + "credits": [ + { + "lang": "en", + "value": "Juho Nurminen" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.1, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/1xxx/CVE-2024-1953.json b/2024/1xxx/CVE-2024-1953.json index 1f58f5ed330..3fe4110f2a6 100644 --- a/2024/1xxx/CVE-2024-1953.json +++ b/2024/1xxx/CVE-2024-1953.json @@ -1,17 +1,156 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1953", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "responsibledisclosure@mattermost.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Mattermost", + "product": { + "product_data": [ + { + "product_name": "Mattermost", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "lessThanOrEqual": "9.4.1", + "status": "affected", + "version": "9.4.0", + "versionType": "semver" + }, + { + "status": "affected", + "version": "9.3.0" + }, + { + "lessThanOrEqual": "9.2.4", + "status": "affected", + "version": "9.2.0", + "versionType": "semver" + }, + { + "lessThanOrEqual": "8.1.8", + "status": "affected", + "version": "8.1.0", + "versionType": "semver" + }, + { + "status": "unaffected", + "version": "9.5" + }, + { + "status": "unaffected", + "version": "9.4.2" + }, + { + "status": "unaffected", + "version": "9.3.1" + }, + { + "status": "unaffected", + "version": "9.2.5" + }, + { + "status": "unaffected", + "version": "8.1.9" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://mattermost.com/security-updates", + "refsource": "MISC", + "name": "https://mattermost.com/security-updates" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "advisory": "MMSA-2023-00273", + "defect": [ + "https://mattermost.atlassian.net/browse/MM-55093" + ], + "discovery": "EXTERNAL" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.

" + } + ], + "value": "Update Mattermost Server to versions 9.5, 9.4.2, 9.3.1, 9.2.5, 8.1.9, or higher.\n\n" + } + ], + "credits": [ + { + "lang": "en", + "value": "vultza" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" } ] } diff --git a/2024/23xxx/CVE-2024-23897.json b/2024/23xxx/CVE-2024-23897.json index 6ea4167d131..5d59f4a2446 100644 --- a/2024/23xxx/CVE-2024-23897.json +++ b/2024/23xxx/CVE-2024-23897.json @@ -43,28 +43,28 @@ "x_cve_json_5_version_data": { "versions": [ { - "version": "0", - "versionType": "maven", "lessThan": "1.606", - "status": "unaffected" + "status": "unaffected", + "version": "0", + "versionType": "maven" }, { - "version": "2.442", - "versionType": "maven", "lessThan": "*", - "status": "unaffected" + "status": "unaffected", + "version": "2.442", + "versionType": "maven" }, { - "version": "2.426.3", - "versionType": "maven", "lessThan": "2.426.*", - "status": "unaffected" + "status": "unaffected", + "version": "2.426.3", + "versionType": "maven" }, { - "version": "2.440.1", - "versionType": "maven", "lessThan": "2.440.*", - "status": "unaffected" + "status": "unaffected", + "version": "2.440.1", + "versionType": "maven" } ], "defaultStatus": "affected" @@ -86,6 +86,11 @@ "refsource": "MISC", "name": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314" }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/01/24/6", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2024/01/24/6" + }, { "url": "http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html", "refsource": "MISC", diff --git a/2024/23xxx/CVE-2024-23898.json b/2024/23xxx/CVE-2024-23898.json index 871f107c3cb..a8d2ebd0baa 100644 --- a/2024/23xxx/CVE-2024-23898.json +++ b/2024/23xxx/CVE-2024-23898.json @@ -43,28 +43,28 @@ "x_cve_json_5_version_data": { "versions": [ { - "version": "0", - "versionType": "maven", "lessThan": "2.217", - "status": "unaffected" + "status": "unaffected", + "version": "0", + "versionType": "maven" }, { - "version": "2.442", - "versionType": "maven", "lessThan": "*", - "status": "unaffected" + "status": "unaffected", + "version": "2.442", + "versionType": "maven" }, { - "version": "2.426.3", - "versionType": "maven", "lessThan": "2.426.*", - "status": "unaffected" + "status": "unaffected", + "version": "2.426.3", + "versionType": "maven" }, { - "version": "2.440.1", - "versionType": "maven", "lessThan": "2.440.*", - "status": "unaffected" + "status": "unaffected", + "version": "2.440.1", + "versionType": "maven" } ], "defaultStatus": "affected" @@ -85,6 +85,11 @@ "url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315", "refsource": "MISC", "name": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/01/24/6", + "refsource": "MISC", + "name": "http://www.openwall.com/lists/oss-security/2024/01/24/6" } ] } diff --git a/2024/2xxx/CVE-2024-2003.json b/2024/2xxx/CVE-2024-2003.json new file mode 100644 index 00000000000..e7f75b89a34 --- /dev/null +++ b/2024/2xxx/CVE-2024-2003.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-2003", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file