From ce36fe4b63a4d7a15d4cc8afe780d0374f9d226f Mon Sep 17 00:00:00 2001 From: CVE Team Date: Fri, 9 Feb 2024 01:00:34 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/32xxx/CVE-2023-32341.json | 89 ++++++++++++++++++++++++++++-- 2023/45xxx/CVE-2023-45187.json | 83 ++++++++++++++++++++++++++-- 2023/45xxx/CVE-2023-45190.json | 82 ++++++++++++++++++++++++++-- 2023/45xxx/CVE-2023-45191.json | 83 ++++++++++++++++++++++++++-- 2024/1xxx/CVE-2024-1353.json | 95 ++++++++++++++++++++++++++++++-- 2024/22xxx/CVE-2024-22318.json | 89 ++++++++++++++++++++++++++++-- 2024/22xxx/CVE-2024-22332.json | 84 +++++++++++++++++++++++++++-- 2024/23xxx/CVE-2024-23639.json | 99 ++++++++++++++++++++++++++++++++-- 2024/24xxx/CVE-2024-24819.json | 86 +++++++++++++++++++++++++++-- 9 files changed, 754 insertions(+), 36 deletions(-) diff --git a/2023/32xxx/CVE-2023-32341.json b/2023/32xxx/CVE-2023-32341.json index ff7ea23e2eb..ceaec518f2a 100644 --- a/2023/32xxx/CVE-2023-32341.json +++ b/2023/32xxx/CVE-2023-32341.json @@ -1,17 +1,98 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-32341", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 could allow an authenticated user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 255827." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400 Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Sterling B2B Integrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "6.0.0.0", + "version_value": "6.0.3.8" + }, + { + "version_affected": "<=", + "version_name": "6.1.0.0", + "version_value": "6.1.2.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7116081", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7116081" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/255827", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/255827" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ] } diff --git a/2023/45xxx/CVE-2023-45187.json b/2023/45xxx/CVE-2023-45187.json index 25dc9b92517..f777385a3b6 100644 --- a/2023/45xxx/CVE-2023-45187.json +++ b/2023/45xxx/CVE-2023-45187.json @@ -1,17 +1,92 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-45187", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-613 Insufficient Session Expiration", + "cweId": "CWE-613" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Engineering Lifecycle Optimization - Publishing", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.0.2, 7.0.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7116045", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7116045" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268749", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268749" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" } ] } diff --git a/2023/45xxx/CVE-2023-45190.json b/2023/45xxx/CVE-2023-45190.json index 571737d4b89..e7cf73f2e22 100644 --- a/2023/45xxx/CVE-2023-45190.json +++ b/2023/45xxx/CVE-2023-45190.json @@ -1,17 +1,91 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-45190", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 268754." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "644 Improper Neutralization of HTTP Headers for Scripting Syntax" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Engineering Lifecycle Optimization - Publishing", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.0.2, 7.0.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7116045", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7116045" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268754", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268754" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2023/45xxx/CVE-2023-45191.json b/2023/45xxx/CVE-2023-45191.json index 455284b649f..e0d53b071fb 100644 --- a/2023/45xxx/CVE-2023-45191.json +++ b/2023/45xxx/CVE-2023-45191.json @@ -1,17 +1,92 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-45191", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 268755." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-307 Improper Restriction of Excessive Authentication Attempts", + "cweId": "CWE-307" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Engineering Lifecycle Optimization - Publishing", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.0.2, 7.0.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7116045", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7116045" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268755", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268755" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/1xxx/CVE-2024-1353.json b/2024/1xxx/CVE-2024-1353.json index 079383a0944..11bf5b588a6 100644 --- a/2024/1xxx/CVE-2024-1353.json +++ b/2024/1xxx/CVE-2024-1353.json @@ -1,17 +1,104 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-1353", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability, which was classified as critical, has been found in PHPEMS up to 1.0. Affected by this issue is the function index of the file app/weixin/controller/index.api.php. The manipulation of the argument picurl leads to deserialization. The exploit has been disclosed to the public and may be used. VDB-253226 is the identifier assigned to this vulnerability." + }, + { + "lang": "deu", + "value": "Eine kritische Schwachstelle wurde in PHPEMS bis 1.0 entdeckt. Es geht hierbei um die Funktion index der Datei app/weixin/controller/index.api.php. Mittels Manipulieren des Arguments picurl mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502 Deserialization", + "cweId": "CWE-502" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "PHPEMS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.253226", + "refsource": "MISC", + "name": "https://vuldb.com/?id.253226" + }, + { + "url": "https://vuldb.com/?ctiid.253226", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.253226" + }, + { + "url": "https://note.zhaoj.in/share/nxGzfEB6fFVY", + "refsource": "MISC", + "name": "https://note.zhaoj.in/share/nxGzfEB6fFVY" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "glzjin (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 6.3, + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "3.0", + "baseScore": 6.3, + "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "MEDIUM" + }, + { + "version": "2.0", + "baseScore": 5.8, + "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P" } ] } diff --git a/2024/22xxx/CVE-2024-22318.json b/2024/22xxx/CVE-2024-22318.json index 2bc8085d289..90b6e2fd271 100644 --- a/2024/22xxx/CVE-2024-22318.json +++ b/2024/22xxx/CVE-2024-22318.json @@ -1,17 +1,98 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-22318", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM i Access Client Solutions (ACS) 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 is vulnerable to NT LAN Manager (NTLM) hash disclosure by an attacker modifying UNC capable paths within ACS configuration files to point to a hostile server. If NTLM is enabled, the Windows operating system will try to authenticate using the current user's session. The hostile server could capture the NTLM hash information to obtain the user's credentials. IBM X-Force ID: 279091." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "i Access Client Solutions", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "1.1.2", + "version_value": "1.1.4" + }, + { + "version_affected": "<=", + "version_name": "1.1.4.3", + "version_value": "1.1.9.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7116091", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7116091" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279091", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279091" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" } ] } diff --git a/2024/22xxx/CVE-2024-22332.json b/2024/22xxx/CVE-2024-22332.json index ed74411ed0f..f4f4b43112c 100644 --- a/2024/22xxx/CVE-2024-22332.json +++ b/2024/22xxx/CVE-2024-22332.json @@ -1,17 +1,93 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-22332", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The IBM Integration Bus for z/OS 10.1 through 10.1.0.2 AdminAPI is vulnerable to a denial of service due to file system exhaustion. IBM X-Force ID: 279972." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434 Unrestricted Upload of File with Dangerous Type", + "cweId": "CWE-434" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Integration Bus for z/OS", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "10.1", + "version_value": "10.1.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://https://www.ibm.com/support/pages/node/7116046", + "refsource": "MISC", + "name": "https://https://www.ibm.com/support/pages/node/7116046" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279972", + "refsource": "MISC", + "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279972" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ] } diff --git a/2024/23xxx/CVE-2024-23639.json b/2024/23xxx/CVE-2024-23639.json index e73146b24bf..59760ecb947 100644 --- a/2024/23xxx/CVE-2024-23639.json +++ b/2024/23xxx/CVE-2024-23639.json @@ -1,17 +1,108 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-23639", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are \"simple\" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-15: External Control of System or Configuration Setting", + "cweId": "CWE-15" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-664: Improper Control of a Resource Through its Lifetime", + "cweId": "CWE-664" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere", + "cweId": "CWE-610" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "micronaut-projects", + "product": { + "product_data": [ + { + "product_name": "micronaut-core", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 3.8.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf", + "refsource": "MISC", + "name": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf" + }, + { + "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests", + "refsource": "MISC", + "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" + } + ] + }, + "source": { + "advisory": "GHSA-583g-g682-crxf", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "version": "3.1" } ] } diff --git a/2024/24xxx/CVE-2024-24819.json b/2024/24xxx/CVE-2024-24819.json index e71c313379e..0d1e15ecbb4 100644 --- a/2024/24xxx/CVE-2024-24819.json +++ b/2024/24xxx/CVE-2024-24819.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-24819", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\\Web\\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Icinga", + "product": { + "product_data": [ + { + "product_name": "icingaweb2-module-incubator", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 0.1.0, < 0.22.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p", + "refsource": "MISC", + "name": "https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p" + }, + { + "url": "https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5", + "refsource": "MISC", + "name": "https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5" + }, + { + "url": "https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code", + "refsource": "MISC", + "name": "https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code" + } + ] + }, + "source": { + "advisory": "GHSA-p8vv-9pqq-rm8p", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L", + "version": "3.1" } ] }