admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-06-06 19:00:41 +00:00
parent 00210b59f9
commit c8a598cff6
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
17 changed files with 980 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2020/36xxx/CVE-2020-36567.json
View File

@ -39,8 +39,9 @@
"version": {
"version_data": [
{
"version_value": "0",
"version_affected": "="
"version_affected": "<",
"version_name": "0",
"version_value": "1.6.0"
}
]
}

71
2023/22xxx/CVE-2023-22833.json
View File

@ -1,17 +1,80 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-22833",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve-coordination@palantir.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Palantir discovered a software bug in a recently released version of Foundry\u2019s Lime2 service, one of the services backing the Ontology. The software bug has been fixed and the fix has been deployed to your hosted Foundry environment. The vulnerability allowed authenticated users within a Foundry organization to potentially bypass discretionary or mandatory access controls under certain circumstances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "The product implements an authentication technique, but it skips a step that weakens the technique.",
"cweId": "CWE-304"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Palantir",
"product": {
"product_data": [
{
"product_name": "com.palantir.comments:comments",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "*",
"version_value": "2.248.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://palantir.safebase.us/?tcuUid=7f1fd834-805d-4679-85d0-9d779fa064ae",
"refsource": "MISC",
"name": "https://palantir.safebase.us/?tcuUid=7f1fd834-805d-4679-85d0-9d779fa064ae"
}
]
},
"source": {
"discovery": "INTERNAL",
"defect": [
"PLTRSEC-2023-17"
]
},
"impact": {
"cvss": [
{
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"baseSeverity": "HIGH",
"baseScore": 7.6
}
]
}

5
2023/29xxx/CVE-2023-29084.json
View File

@ -61,6 +61,11 @@
"refsource": "MISC",
"name": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html",
"url": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html"
},
{
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html",
"url": "http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html"
}
]
}

130
2023/2xxx/CVE-2023-2183.json
View File

@ -1,17 +1,139 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-2183",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@grafana.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284",
"cweId": "CWE-284"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Grafana",
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.0.0",
"version_value": "8.5.26"
},
{
"version_affected": "<",
"version_name": "9.0.0",
"version_value": "9.2.19"
},
{
"version_affected": "<",
"version_name": "9.3.0",
"version_value": "9.3.15"
},
{
"version_affected": "<",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "<",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "8.0.0",
"version_value": "8.5.26"
},
{
"version_affected": "<",
"version_name": "9.0.0",
"version_value": "9.2.19"
},
{
"version_affected": "<",
"version_name": "9.3.0",
"version_value": "9.3.15"
},
{
"version_affected": "<",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "<",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"refsource": "MISC",
"name": "https://grafana.com/security/security-advisories/cve-2023-2183/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3",
"refsource": "MISC",
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
]
}

95
2023/2xxx/CVE-2023-2801.json
View File

@ -1,17 +1,104 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-2801",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security@grafana.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-820",
"cweId": "CWE-820"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Grafana",
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "<",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.4.0",
"version_value": "9.4.12"
},
{
"version_affected": "<",
"version_name": "9.5.0",
"version_value": "9.5.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/",
"refsource": "MISC",
"name": "https://grafana.com/security/security-advisories/cve-2023-2801/"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
]
}

5
2023/30xxx/CVE-2023-30868.json
View File

@ -74,6 +74,11 @@
"url": "https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve",
"refsource": "MISC",
"name": "https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"url": "http://packetstormsecurity.com/files/172730/WordPress-Tree-Page-View-1.6.7-Cross-Site-Scripting.html",
"refsource": "MISC",
"name": "http://packetstormsecurity.com/files/172730/WordPress-Tree-Page-View-1.6.7-Cross-Site-Scripting.html"
}
]
},

101
2023/32xxx/CVE-2023-32682.json
View File

@ -1,17 +1,110 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-32682",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication",
"cweId": "CWE-287"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "matrix-org",
"product": {
"product_data": [
{
"product_name": "synapse",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.85.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p",
"refsource": "MISC",
"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p"
},
{
"url": "https://github.com/matrix-org/synapse/pull/15624",
"refsource": "MISC",
"name": "https://github.com/matrix-org/synapse/pull/15624"
},
{
"url": "https://github.com/matrix-org/synapse/pull/15634",
"refsource": "MISC",
"name": "https://github.com/matrix-org/synapse/pull/15634"
},
{
"url": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account",
"refsource": "MISC",
"name": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account"
},
{
"url": "https://matrix-org.github.io/synapse/latest/jwt.html",
"refsource": "MISC",
"name": "https://matrix-org.github.io/synapse/latest/jwt.html"
},
{
"url": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config",
"refsource": "MISC",
"name": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config"
}
]
},
"source": {
"advisory": "GHSA-26c5-ppr8-f33p",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
]
}

81
2023/32xxx/CVE-2023-32683.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-32683",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization",
"cweId": "CWE-863"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "matrix-org",
"product": {
"product_data": [
{
"product_name": "synapse",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.85.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc",
"refsource": "MISC",
"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc"
},
{
"url": "https://github.com/matrix-org/synapse/pull/15601",
"refsource": "MISC",
"name": "https://github.com/matrix-org/synapse/pull/15601"
}
]
},
"source": {
"advisory": "GHSA-98px-6486-j7qc",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
]
}

61
2023/33xxx/CVE-2023-33651.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33651",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2023-33651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/",
"refsource": "MISC",
"name": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
},
{
"url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925",
"refsource": "MISC",
"name": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925"
}
]
}

56
2023/33xxx/CVE-2023-33652.json
View File

@ -1,17 +1,61 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33652",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2023-33652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/",
"refsource": "MISC",
"name": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
}
]
}

56
2023/33xxx/CVE-2023-33653.json
View File

@ -1,17 +1,61 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33653",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2023-33653",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/",
"refsource": "MISC",
"name": "https://blog.assetnote.io/2023/05/10/sitecore-round-two/"
}
]
}

81
2023/33xxx/CVE-2023-33957.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33957",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption",
"cweId": "CWE-400"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "notaryproject",
"product": {
"product_data": [
{
"product_name": "notation",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.0.0-rc.6"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7",
"refsource": "MISC",
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"
},
{
"url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24",
"refsource": "MISC",
"name": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"
}
]
},
"source": {
"advisory": "GHSA-9m3v-v4r5-ppx7",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
}
]
}

81
2023/33xxx/CVE-2023-33958.json
View File

@ -1,17 +1,90 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33958",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption",
"cweId": "CWE-400"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "notaryproject",
"product": {
"product_data": [
{
"product_name": "notation",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.0.0-rc.6"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6",
"refsource": "MISC",
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6"
},
{
"url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6",
"refsource": "MISC",
"name": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"
}
]
},
"source": {
"advisory": "GHSA-rvrx-rrwh-r9p6",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
]
}

76
2023/33xxx/CVE-2023-33959.json
View File

@ -1,17 +1,85 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33959",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature",
"cweId": "CWE-347"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "notaryproject",
"product": {
"product_data": [
{
"product_name": "notation-go",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 1.0.0-rc.6"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r",
"refsource": "MISC",
"name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
}
]
},
"source": {
"advisory": "GHSA-xhg5-42rf-296r",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
}

96
2023/33xxx/CVE-2023-33977.json
View File

@ -1,17 +1,105 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-33977",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "kiwitcms",
"product": {
"product_data": [
{
"product_name": "Kiwi",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "< 12.4"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98",
"refsource": "MISC",
"name": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98"
},
{
"url": "https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034",
"refsource": "MISC",
"name": "https://github.com/kiwitcms/Kiwi/commit/d789f4b51025de4f8c747c037d02e1b0da80b034"
},
{
"url": "https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68",
"refsource": "MISC",
"name": "https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L66-L68"
},
{
"url": "https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87",
"refsource": "MISC",
"name": "https://github.com/kiwitcms/Kiwi/blob/master/etc/nginx.conf#L87"
},
{
"url": "https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/",
"refsource": "MISC",
"name": "https://huntr.dev/bounties/6aea9a26-e29a-467b-aa5a-f767f0c2ec96/"
}
]
},
"source": {
"advisory": "GHSA-2fqm-m4r2-fh98",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
}

18
2023/3xxx/CVE-2023-3129.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3129",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2023/3xxx/CVE-2023-3130.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3130",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}