admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2024-01-23 00:00:32 +00:00
parent 29b247bb99
commit cc741268bd
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
3 changed files with 283 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
2024/23xxx/CVE-2024-23340.json
View File

@ -1,17 +1,95 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23340",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "honojs",
"product": {
"product_data": [
{
"product_name": "node-server",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 1.3.0, < 1.4.1"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"refsource": "MISC",
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"refsource": "MISC",
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"refsource": "MISC",
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
]
},
"source": {
"advisory": "GHSA-rjq5-w47x-x359",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
]
}

109
2024/23xxx/CVE-2024-23342.json
View File

@ -1,17 +1,118 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23342",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-203: Observable Discrepancy",
"cweId": "CWE-203"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-208: Observable Timing Discrepancy",
"cweId": "CWE-208"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-385: Covert Timing Channel",
"cweId": "CWE-385"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "tlsfuzzer",
"product": {
"product_data": [
{
"product_name": "python-ecdsa",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "<= 0.18.0"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp",
"refsource": "MISC",
"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"
},
{
"url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md",
"refsource": "MISC",
"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"
},
{
"url": "https://minerva.crocs.fi.muni.cz/",
"refsource": "MISC",
"name": "https://minerva.crocs.fi.muni.cz/"
},
{
"url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/",
"refsource": "MISC",
"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"
}
]
},
"source": {
"advisory": "GHSA-wj6h-64fc-37mp",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
}

100
2024/23xxx/CVE-2024-23345.json
View File

@ -1,17 +1,109 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-23345",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "security-advisories@github.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "nautobot",
"product": {
"product_data": [
{
"product_name": "nautobot",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": ">= 2.0.0, < 2.1.2"
},
{
"version_affected": "=",
"version_value": "< 1.6.10"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h",
"refsource": "MISC",
"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h"
},
{
"url": "https://github.com/nautobot/nautobot/pull/5133",
"refsource": "MISC",
"name": "https://github.com/nautobot/nautobot/pull/5133"
},
{
"url": "https://github.com/nautobot/nautobot/pull/5134",
"refsource": "MISC",
"name": "https://github.com/nautobot/nautobot/pull/5134"
},
{
"url": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80",
"refsource": "MISC",
"name": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80"
},
{
"url": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce",
"refsource": "MISC",
"name": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce"
}
]
},
"source": {
"advisory": "GHSA-v4xv-795h-rv4h",
"discovery": "UNKNOWN"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
}
]
}