From d6113ec3efeb0700887695f9c4f014c3f97115ac Mon Sep 17 00:00:00 2001 From: CVE Team Date: Mon, 30 Mar 2020 19:01:38 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2019/17xxx/CVE-2019-17560.json | 62 ++++++++++++++++++++++++++++++++++ 2019/17xxx/CVE-2019-17561.json | 62 ++++++++++++++++++++++++++++++++++ 2020/7xxx/CVE-2020-7599.json | 55 ++++++++++++++++++++++++++++-- 2020/7xxx/CVE-2020-7610.json | 50 +++++++++++++++++++++++++-- 4 files changed, 223 insertions(+), 6 deletions(-) create mode 100644 2019/17xxx/CVE-2019-17560.json create mode 100644 2019/17xxx/CVE-2019-17561.json diff --git a/2019/17xxx/CVE-2019-17560.json b/2019/17xxx/CVE-2019-17560.json new file mode 100644 index 00000000000..fb3879a33ed --- /dev/null +++ b/2019/17xxx/CVE-2019-17560.json @@ -0,0 +1,62 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2019-17560", + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Apache NetBeans", + "version": { + "version_data": [ + { + "version_value": "through 11.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Certificate Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E", + "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E" + } + ] + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability." + } + ] + } +} \ No newline at end of file diff --git a/2019/17xxx/CVE-2019-17561.json b/2019/17xxx/CVE-2019-17561.json new file mode 100644 index 00000000000..d9da9628c86 --- /dev/null +++ b/2019/17xxx/CVE-2019-17561.json @@ -0,0 +1,62 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2019-17561", + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Apache NetBeans", + "version": { + "version_data": [ + { + "version_value": "through 11.2" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Validation of Integrity Check Value" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E", + "url": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E" + } + ] + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The \"Apache NetBeans\" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. \"Apache NetBeans\" versions up to and including 11.2 are affected by this vulnerability." + } + ] + } +} \ No newline at end of file diff --git a/2020/7xxx/CVE-2020-7599.json b/2020/7xxx/CVE-2020-7599.json index a9ae95aa811..db526926293 100644 --- a/2020/7xxx/CVE-2020-7599.json +++ b/2020/7xxx/CVE-2020-7599.json @@ -4,14 +4,63 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-7599", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "report@snyk.io", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "com.gradle.plugin-publish", + "version": { + "version_data": [ + { + "version_value": "all versions before 0.11.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Insertion of Sensitive Information into Log File" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866", + "url": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866" + }, + { + "refsource": "MISC", + "name": "https://blog.gradle.org/plugin-portal-update", + "url": "https://blog.gradle.org/plugin-portal-update" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own." } ] } diff --git a/2020/7xxx/CVE-2020-7610.json b/2020/7xxx/CVE-2020-7610.json index fda87e05c98..17c0ddc8250 100644 --- a/2020/7xxx/CVE-2020-7610.json +++ b/2020/7xxx/CVE-2020-7610.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-7610", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "report@snyk.io", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "bson", + "version": { + "version_data": [ + { + "version_value": "all versions before 1.1.4" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://snyk.io/vuln/SNYK-JS-BSON-561052", + "url": "https://snyk.io/vuln/SNYK-JS-BSON-561052" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type." } ] }