From 3bed1259f75aded8936f3cb29ef1f2466582090c Mon Sep 17 00:00:00 2001 From: "Mark J. Cox" Date: Sat, 11 Sep 2021 11:59:40 +0100 Subject: [PATCH] Add Any23 issues --- 2021/38xxx/CVE-2021-38555.json | 77 ++++++++++++++++++++++++++++++---- 2021/40xxx/CVE-2021-40146.json | 75 +++++++++++++++++++++++++++++---- 2 files changed, 138 insertions(+), 14 deletions(-) diff --git a/2021/38xxx/CVE-2021-38555.json b/2021/38xxx/CVE-2021-38555.json index 06a2a002432..967e36265dc 100644 --- a/2021/38xxx/CVE-2021-38555.json +++ b/2021/38xxx/CVE-2021-38555.json @@ -1,18 +1,81 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@apache.org", "ID": "CVE-2021-38555", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "An XML external entity (XXE) injection vulnerability exists in Apache Any23 StreamUtils.java" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Any23", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Apache Any23", + "version_value": "2.5" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "The Apache Any23 Project Management Committee would like to thank Zhuxuan Wu for reporting the security vulnerability." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "critical" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "XML external entity (XXE) injection vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} \ No newline at end of file +} diff --git a/2021/40xxx/CVE-2021-40146.json b/2021/40xxx/CVE-2021-40146.json index 460775c95a6..4932d4e390a 100644 --- a/2021/40xxx/CVE-2021-40146.json +++ b/2021/40xxx/CVE-2021-40146.json @@ -1,18 +1,79 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@apache.org", "ID": "CVE-2021-40146", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "A Remote Code Execution (RCE) vulnerability exists in Apache Any23 YAMLExtractor.java" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Any23", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Apache Any23", + "version_value": "2.5" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "The Apache Any23 Project Management Committee would like to thank Zhuxuan Wu for reporting the security vulnerability." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + {} + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution (RCE)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://lists.apache.org/thread.html/r7c521ed85c7ae1bad4fdf95b459f2aaa8a67eae338636b7b7ec35d86%40%3Cannounce.apache.org%3E" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} \ No newline at end of file +}