diff --git a/2022/24xxx/CVE-2022-24684.json b/2022/24xxx/CVE-2022-24684.json index d69682625a5..ecacd64e30b 100644 --- a/2022/24xxx/CVE-2022-24684.json +++ b/2022/24xxx/CVE-2022-24684.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.12, and 1.2.x before 1.2.6 has Uncontrolled Resource Consumption." + "value": "HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6." } ] }, @@ -66,6 +66,11 @@ "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20220318-0008/", "url": "https://security.netapp.com/advisory/ntap-20220318-0008/" + }, + { + "refsource": "MISC", + "name": "https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/" } ] } diff --git a/2022/24xxx/CVE-2022-24685.json b/2022/24xxx/CVE-2022-24685.json index 678da807625..4693a113903 100644 --- a/2022/24xxx/CVE-2022-24685.json +++ b/2022/24xxx/CVE-2022-24685.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp Nomad and Nomad Enterprise 1.x before 1.0.17, 1.1.x before 1.1.12, and 1.2.x before 1.2.6 has Uncontrolled Resource Consumption." + "value": "HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6." } ] }, @@ -66,6 +66,11 @@ "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20220331-0007/", "url": "https://security.netapp.com/advisory/ntap-20220331-0007/" + }, + { + "refsource": "MISC", + "name": "https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/" } ] } diff --git a/2022/24xxx/CVE-2022-24687.json b/2022/24xxx/CVE-2022-24687.json index 332f40d88a5..7f18d7a162c 100644 --- a/2022/24xxx/CVE-2022-24687.json +++ b/2022/24xxx/CVE-2022-24687.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption." + "value": "HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3." } ] }, diff --git a/2022/25xxx/CVE-2022-25374.json b/2022/25xxx/CVE-2022-25374.json index 9bf34ea3dc0..cbe99b55935 100644 --- a/2022/25xxx/CVE-2022-25374.json +++ b/2022/25xxx/CVE-2022-25374.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp Terraform Enterprise before 202202-1 inserts Sensitive Information into a Log File." + "value": "HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1." } ] }, diff --git a/2022/29xxx/CVE-2022-29153.json b/2022/29xxx/CVE-2022-29153.json index bdfcffbcdc5..3bbfc045446 100644 --- a/2022/29xxx/CVE-2022-29153.json +++ b/2022/29xxx/CVE-2022-29153.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF." + "value": "HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5." } ] }, @@ -71,6 +71,11 @@ "refsource": "GENTOO", "name": "GLSA-202208-09", "url": "https://security.gentoo.org/glsa/202208-09" + }, + { + "refsource": "MISC", + "name": "https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/" } ] } diff --git a/2022/30xxx/CVE-2022-30322.json b/2022/30xxx/CVE-2022-30322.json index 0d9db43ff57..473ea9baf9c 100644 --- a/2022/30xxx/CVE-2022-30322.json +++ b/2022/30xxx/CVE-2022-30322.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 2 of 3)." + "value": "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0." } ] }, @@ -66,6 +66,11 @@ "refsource": "MISC", "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930", "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930" + }, + { + "refsource": "MISC", + "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/" } ] } diff --git a/2022/30xxx/CVE-2022-30323.json b/2022/30xxx/CVE-2022-30323.json index 1aec9b22afa..19f60f1b719 100644 --- a/2022/30xxx/CVE-2022-30323.json +++ b/2022/30xxx/CVE-2022-30323.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3)." + "value": "go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0." } ] }, @@ -66,6 +66,11 @@ "refsource": "MISC", "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930", "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930" + }, + { + "refsource": "MISC", + "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/", + "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/" } ] } diff --git a/2022/38xxx/CVE-2022-38145.json b/2022/38xxx/CVE-2022-38145.json new file mode 100644 index 00000000000..6568ed2269b --- /dev/null +++ b/2022/38xxx/CVE-2022-38145.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-38145", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38146.json b/2022/38xxx/CVE-2022-38146.json new file mode 100644 index 00000000000..9377517709d --- /dev/null +++ b/2022/38xxx/CVE-2022-38146.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-38146", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38147.json b/2022/38xxx/CVE-2022-38147.json new file mode 100644 index 00000000000..fc3beeedeb1 --- /dev/null +++ b/2022/38xxx/CVE-2022-38147.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-38147", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/38xxx/CVE-2022-38148.json b/2022/38xxx/CVE-2022-38148.json new file mode 100644 index 00000000000..907598198fe --- /dev/null +++ b/2022/38xxx/CVE-2022-38148.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-38148", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file