From d9b8164ef70a985c47ba7cbdd259606c43fc1e41 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 2 Jul 2020 13:01:28 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/3xxx/CVE-2020-3282.json | 4 +- 2020/5xxx/CVE-2020-5909.json | 50 +++++++++++++++++-- 2020/5xxx/CVE-2020-5910.json | 50 +++++++++++++++++-- 2020/5xxx/CVE-2020-5911.json | 50 +++++++++++++++++-- 2020/7xxx/CVE-2020-7820.json | 93 +++++++++++++++++++++++++++++++++--- 2020/7xxx/CVE-2020-7821.json | 93 +++++++++++++++++++++++++++++++++--- 2020/9xxx/CVE-2020-9497.json | 50 +++++++++++++++++-- 2020/9xxx/CVE-2020-9498.json | 50 +++++++++++++++++-- 8 files changed, 411 insertions(+), 29 deletions(-) diff --git a/2020/3xxx/CVE-2020-3282.json b/2020/3xxx/CVE-2020-3282.json index 7b8ccefd7b2..e38f4548e52 100644 --- a/2020/3xxx/CVE-2020-3282.json +++ b/2020/3xxx/CVE-2020-3282.json @@ -36,7 +36,7 @@ "description_data": [ { "lang": "eng", - "value": "\r A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\r The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.\r " + "value": "A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information." } ] }, @@ -85,4 +85,4 @@ ], "discovery": "INTERNAL" } -} +} \ No newline at end of file diff --git a/2020/5xxx/CVE-2020-5909.json b/2020/5xxx/CVE-2020-5909.json index f50889da7a8..0256205ac13 100644 --- a/2020/5xxx/CVE-2020-5909.json +++ b/2020/5xxx/CVE-2020-5909.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-5909", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "f5sirt@f5.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "NGINX Controller", + "version": { + "version_data": [ + { + "version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "MITM" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://support.f5.com/csp/article/K31150658", + "url": "https://support.f5.com/csp/article/K31150658" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified." } ] } diff --git a/2020/5xxx/CVE-2020-5910.json b/2020/5xxx/CVE-2020-5910.json index 87c939d5917..e67d4084fcb 100644 --- a/2020/5xxx/CVE-2020-5910.json +++ b/2020/5xxx/CVE-2020-5910.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-5910", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "f5sirt@f5.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "NGINX Controller", + "version": { + "version_data": [ + { + "version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "data leakage" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://support.f5.com/csp/article/K59209532", + "url": "https://support.f5.com/csp/article/K59209532" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized." } ] } diff --git a/2020/5xxx/CVE-2020-5911.json b/2020/5xxx/CVE-2020-5911.json index 89ebf126136..e8dd82cd49b 100644 --- a/2020/5xxx/CVE-2020-5911.json +++ b/2020/5xxx/CVE-2020-5911.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-5911", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "f5sirt@f5.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "NGINX Controller", + "version": { + "version_data": [ + { + "version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "MITM" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://support.f5.com/csp/article/K84084843", + "url": "https://support.f5.com/csp/article/K84084843" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system." } ] } diff --git a/2020/7xxx/CVE-2020-7820.json b/2020/7xxx/CVE-2020-7820.json index 4cedfee0af8..e3c8f2b2e56 100644 --- a/2020/7xxx/CVE-2020-7820.json +++ b/2020/7xxx/CVE-2020-7820.json @@ -1,18 +1,99 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2020-7820", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Tobesoft NEXACRO14/17 ExCommonApiV13 Arbitrary Code Execution Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "NEXACRO14/17 ExCommonApiV13", + "version": { + "version_data": [ + { + "platform": "Windows OS", + "version_affected": "<", + "version_name": "2019.9.6", + "version_value": "2019.9.6" + } + ] + } + } + ] + }, + "vendor_name": "Tobesoft" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks to Joengun Baek for this vulnerability report." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by setting the arguments to the vulnerable API. This can be leveraged for code execution by rebooting the victim\u2019s PC" } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "http://support.tobesoft.co.kr/Support/index.html", + "name": "http://support.tobesoft.co.kr/Support/index.html" + }, + { + "refsource": "CONFIRM", + "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35491", + "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35491" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/7xxx/CVE-2020-7821.json b/2020/7xxx/CVE-2020-7821.json index 489c9efa300..b944baca0f7 100644 --- a/2020/7xxx/CVE-2020-7821.json +++ b/2020/7xxx/CVE-2020-7821.json @@ -1,18 +1,99 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2020-7821", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Tobesoft NEXACRO14/17 ExCommonApiV13 Arbitrary Code Execution Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "NEXACRO14/17 ExCommonApiV13", + "version": { + "version_data": [ + { + "platform": "Windows OS", + "version_affected": "<", + "version_name": "2019.9.6", + "version_value": "2019.9.6" + } + ] + } + } + ] + }, + "vendor_name": "Tobesoft" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks to Joengun Baek for this vulnerability report." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by modifying the value of registry path. This can be leveraged for code execution by rebooting the victim\u2019s PC" } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "http://support.tobesoft.co.kr/Support/index.html", + "name": "http://support.tobesoft.co.kr/Support/index.html" + }, + { + "refsource": "CONFIRM", + "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35491", + "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35491" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/9xxx/CVE-2020-9497.json b/2020/9xxx/CVE-2020-9497.json index 14b105b09a8..5bd9b7d521f 100644 --- a/2020/9xxx/CVE-2020-9497.json +++ b/2020/9xxx/CVE-2020-9497.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-9497", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Apache Guacamole", + "version": { + "version_data": [ + { + "version_value": "Apache Guacamole 1.1.0 and older" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E", + "url": "https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection." } ] } diff --git a/2020/9xxx/CVE-2020-9498.json b/2020/9xxx/CVE-2020-9498.json index 36a6c4d3433..f09ab5a886d 100644 --- a/2020/9xxx/CVE-2020-9498.json +++ b/2020/9xxx/CVE-2020-9498.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-9498", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Apache Guacamole", + "version": { + "version_data": [ + { + "version_value": "Apache Guacamole 1.1.0 and older" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Expired Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/rff824b38ebd2fddc726b816f0e509696b83b9f78979d0cd021ca623b%40%3Cannounce.guacamole.apache.org%3E", + "url": "https://lists.apache.org/thread.html/rff824b38ebd2fddc726b816f0e509696b83b9f78979d0cd021ca623b%40%3Cannounce.guacamole.apache.org%3E" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process." } ] }