diff --git a/2024/22xxx/CVE-2024-22315.json b/2024/22xxx/CVE-2024-22315.json index 2f410c9982e..6d04f6b2b98 100644 --- a/2024/22xxx/CVE-2024-22315.json +++ b/2024/22xxx/CVE-2024-22315.json @@ -1,17 +1,111 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-22315", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@us.ibm.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Fusion and IBM Fusion HCI 2.3.0 through 2.8.2 is vulnerable to insecure network connection by allowing an attacker who gains access to a Fusion container to establish an external network connection." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints", + "cweId": "CWE-923" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Fusion", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.3.0", + "version_value": "2.8.2" + } + ] + } + }, + { + "product_name": "Fusion HCI", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.3.0", + "version_value": "2.8.2" + } + ] + } + }, + { + "product_name": "Fusion HCI for watsonx", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "2.8.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/7179168", + "refsource": "MISC", + "name": "https://www.ibm.com/support/pages/node/7179168" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "version": "3.1" } ] } diff --git a/2024/45xxx/CVE-2024-45336.json b/2024/45xxx/CVE-2024-45336.json index 8af818088cf..04e0cd21403 100644 --- a/2024/45xxx/CVE-2024-45336.json +++ b/2024/45xxx/CVE-2024-45336.json @@ -1,18 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-45336", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-116: Improper Encoding or Escaping of Output" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go standard library", + "product": { + "product_data": [ + { + "product_name": "net/http", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.22.11" + }, + { + "version_affected": "<", + "version_name": "1.23.0-0", + "version_value": "1.23.5" + }, + { + "version_affected": "<", + "version_name": "1.24.0-0", + "version_value": "1.24.0-rc2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/cl/643100", + "refsource": "MISC", + "name": "https://go.dev/cl/643100" + }, + { + "url": "https://go.dev/issue/70530", + "refsource": "MISC", + "name": "https://go.dev/issue/70530" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2025-3420", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2025-3420" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Kyle Seely" + } + ] } \ No newline at end of file diff --git a/2024/45xxx/CVE-2024-45339.json b/2024/45xxx/CVE-2024-45339.json index ef4bb79a303..0ec06da9208 100644 --- a/2024/45xxx/CVE-2024-45339.json +++ b/2024/45xxx/CVE-2024-45339.json @@ -1,18 +1,94 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-45339", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-61: UNIX Symbolic Link (Symlink) Following" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "github.com/golang/glog", + "product": { + "product_data": [ + { + "product_name": "github.com/golang/glog", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.2.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2", + "refsource": "MISC", + "name": "https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2" + }, + { + "url": "https://github.com/golang/glog/pull/74", + "refsource": "MISC", + "name": "https://github.com/golang/glog/pull/74" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs" + }, + { + "url": "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File", + "refsource": "MISC", + "name": "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2025-3372", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2025-3372" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Josh McSavaney" + }, + { + "lang": "en", + "value": "G\u00fcnther Noack" + } + ] } \ No newline at end of file diff --git a/2024/45xxx/CVE-2024-45340.json b/2024/45xxx/CVE-2024-45340.json index 0b665335154..82fc03c5f95 100644 --- a/2024/45xxx/CVE-2024-45340.json +++ b/2024/45xxx/CVE-2024-45340.json @@ -1,18 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-45340", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-201: Insertion of Sensitive Information Into Sent Data" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go toolchain", + "product": { + "product_data": [ + { + "product_name": "cmd/go", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "1.24.0-0", + "version_value": "1.24.0-rc2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/cl/643097", + "refsource": "MISC", + "name": "https://go.dev/cl/643097" + }, + { + "url": "https://go.dev/issue/71249", + "refsource": "MISC", + "name": "https://go.dev/issue/71249" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2025-3383", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2025-3383" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Juho Fors\u00e9n of Mattermost" + } + ] } \ No newline at end of file diff --git a/2024/45xxx/CVE-2024-45341.json b/2024/45xxx/CVE-2024-45341.json index 0016dbe8c6e..ce83fcb9139 100644 --- a/2024/45xxx/CVE-2024-45341.json +++ b/2024/45xxx/CVE-2024-45341.json @@ -1,18 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-45341", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-295: Improper Certificate Validation" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go standard library", + "product": { + "product_data": [ + { + "product_name": "crypto/x509", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.22.11" + }, + { + "version_affected": "<", + "version_name": "1.23.0-0", + "version_value": "1.23.5" + }, + { + "version_affected": "<", + "version_name": "1.24.0-0", + "version_value": "1.24.0-rc2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/cl/643099", + "refsource": "MISC", + "name": "https://go.dev/cl/643099" + }, + { + "url": "https://go.dev/issue/71156", + "refsource": "MISC", + "name": "https://go.dev/issue/71156" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2025-3373", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2025-3373" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Juho Fors\u00e9n of Mattermost" + } + ] } \ No newline at end of file diff --git a/2025/22xxx/CVE-2025-22865.json b/2025/22xxx/CVE-2025-22865.json index 6e82493c554..d9f765f6030 100644 --- a/2025/22xxx/CVE-2025-22865.json +++ b/2025/22xxx/CVE-2025-22865.json @@ -1,18 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-22865", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@golang.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed." } ] - } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-228: Improper Handling of Syntactically Invalid Structure" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Go standard library", + "product": { + "product_data": [ + { + "product_name": "crypto/x509", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "1.24.0-0", + "version_value": "1.24.0-rc2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://go.dev/cl/643098", + "refsource": "MISC", + "name": "https://go.dev/cl/643098" + }, + { + "url": "https://go.dev/issue/71216", + "refsource": "MISC", + "name": "https://go.dev/issue/71216" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", + "refsource": "MISC", + "name": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2025-3421", + "refsource": "MISC", + "name": "https://pkg.go.dev/vuln/GO-2025-3421" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Philippe Antoine (Catena cyber)" + } + ] } \ No newline at end of file