From d2ee18f2f9bec31e4dd16e2222bc5d1ddbb76bca Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 10 Jun 2020 14:58:23 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2018/3xxx/CVE-2018-3639.json | 10 ++++ 2020/10xxx/CVE-2020-10708.json | 4 +- 2020/13xxx/CVE-2020-13267.json | 90 ++++++++++++++++++++++++++++++++-- 2020/13xxx/CVE-2020-13268.json | 90 ++++++++++++++++++++++++++++++++-- 2020/13xxx/CVE-2020-13269.json | 87 ++++++++++++++++++++++++++++++-- 2020/13xxx/CVE-2020-13270.json | 90 ++++++++++++++++++++++++++++++++-- 2020/13xxx/CVE-2020-13271.json | 90 ++++++++++++++++++++++++++++++++-- 7 files changed, 439 insertions(+), 22 deletions(-) diff --git a/2018/3xxx/CVE-2018-3639.json b/2018/3xxx/CVE-2018-3639.json index 1ee099edfac..5e056093e64 100644 --- a/2018/3xxx/CVE-2018-3639.json +++ b/2018/3xxx/CVE-2018-3639.json @@ -762,6 +762,16 @@ "refsource": "CONFIRM", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20200610 kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768", + "url": "http://www.openwall.com/lists/oss-security/2020/06/10/1" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20200610 Re: kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768", + "url": "http://www.openwall.com/lists/oss-security/2020/06/10/2" } ] } diff --git a/2020/10xxx/CVE-2020-10708.json b/2020/10xxx/CVE-2020-10708.json index 8fec12de672..2d2f7647ee3 100644 --- a/2020/10xxx/CVE-2020-10708.json +++ b/2020/10xxx/CVE-2020-10708.json @@ -5,13 +5,13 @@ "CVE_data_meta": { "ID": "CVE-2020-10708", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." } ] } diff --git a/2020/13xxx/CVE-2020-13267.json b/2020/13xxx/CVE-2020-13267.json index 671e3a4e05f..03b5931747f 100644 --- a/2020/13xxx/CVE-2020-13267.json +++ b/2020/13xxx/CVE-2020-13267.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13267", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": ">=12.8, <12.9.8" + }, + { + "version_value": ">=12.10, <12.10.7" + }, + { + "version_value": ">=13.0, <13.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper neutralization of input during web page generation ('cross-site scripting') in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/211956", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/211956", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/824773", + "url": "https://hackerone.com/reports/824773", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13267.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13267.json", + "refsource": "CONFIRM" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "version": "3.1", + "baseScore": 6.0, + "baseSeverity": "MEDIUM" + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1" } ] - } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks @xanbanx for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13268.json b/2020/13xxx/CVE-2020-13268.json index 8678058ce72..00195743949 100644 --- a/2020/13xxx/CVE-2020-13268.json +++ b/2020/13xxx/CVE-2020-13268.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13268", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": ">=12.8, <12.9.8" + }, + { + "version_value": ">=12.10, <12.10.7" + }, + { + "version_value": ">=13.0, <13.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information exposure in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/214220", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/214220", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/848415", + "url": "https://hackerone.com/reports/848415", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13268.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13268.json", + "refsource": "CONFIRM" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1" } ] - } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks @ledz1996 for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13269.json b/2020/13xxx/CVE-2020-13269.json index 05bc30e388a..5ac0c5418ae 100644 --- a/2020/13xxx/CVE-2020-13269.json +++ b/2020/13xxx/CVE-2020-13269.json @@ -4,15 +4,94 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13269", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": ">=12.10, <12.10.7" + }, + { + "version_value": ">=13.0, <13.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper neutralization of input during web page generation ('cross-site scripting') in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/216528", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/216528", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/864356", + "url": "https://hackerone.com/reports/864356", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13269.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13269.json", + "refsource": "CONFIRM" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "version": "3.1", + "baseScore": 6.0, + "baseSeverity": "MEDIUM" + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1" } ] - } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks @bull for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13270.json b/2020/13xxx/CVE-2020-13270.json index 78f48a75bf2..acb763db665 100644 --- a/2020/13xxx/CVE-2020-13270.json +++ b/2020/13xxx/CVE-2020-13270.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13270", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": ">=11.3, <12.9.8" + }, + { + "version_value": ">=12.10, <12.10.7" + }, + { + "version_value": ">=13.0, <13.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper authorization in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/24648", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/24648", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/419977", + "url": "https://hackerone.com/reports/419977", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13270.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13270.json", + "refsource": "CONFIRM" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 7.5, + "baseSeverity": "HIGH" + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API" } ] - } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13271.json b/2020/13xxx/CVE-2020-13271.json index 43a723e8c21..5c0d279befc 100644 --- a/2020/13xxx/CVE-2020-13271.json +++ b/2020/13xxx/CVE-2020-13271.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-13271", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": "<12.9.8" + }, + { + "version_value": ">=12.10, <12.10.7" + }, + { + "version_value": ">=13.0, <13.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper neutralization of input during web page generation ('cross-site scripting') in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/200094", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/200094", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/672150", + "url": "https://hackerone.com/reports/672150", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13271.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13271.json", + "refsource": "CONFIRM" + } + ] + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "version": "3.1", + "baseScore": 6.0, + "baseSeverity": "MEDIUM" + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1" } ] - } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks @rpadovani for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file