admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-08 19:46:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#3212

Browse Source 
Auto-merge PR#3212
This commit is contained in:
CVE Team 2021-10-25 08:25:16 -04:00 committed by GitHub
commit eb033d2291
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 201 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
2021/38xxx/CVE-2021-38294.json
View File

@ -1,18 +1,112 @@
{ {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-38294", "ID": "CVE-2021-38294",
"ASSIGNER": "cve@mitre.org", "STATE": "PUBLIC",
"STATE": "RESERVED" "TITLE": "Shell Command Injection Vulnerability in Nimbus Thrift Server"
}, },
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"platform": "Non-Windows",
"version_affected": ">=",
"version_name": "Apache Storm",
"version_value": "v1.0.0"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. "
} }
] ]
} },
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"
},
{
"refsource": "CONFIRM",
"url": "https://seclists.org/oss-sec/2021/q4/44"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
} }

107
2021/40xxx/CVE-2021-40865.json
View File

@ -1,18 +1,111 @@
{ {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40865", "ID": "CVE-2021-40865",
"ASSIGNER": "cve@mitre.org", "STATE": "PUBLIC",
"STATE": "RESERVED" "TITLE": "Unsafe Pre-Authentication Deserialization In Workers"
}, },
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Storm",
"version": {
"version_data": [
{
"version_affected": ">=",
"version_name": "Apache Storm ",
"version_value": "v1.0.0"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v1.2.4"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.1.1"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.2.1"
},
{
"version_affected": "<",
"version_name": "Apache Storm",
"version_value": "v2.3.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4"
} }
] ]
} },
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"refsource": "CONFIRM",
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0\nApache Storm 2.1.x users should upgrade to version 2.1.1\nApache Storm 1.x users should upgrade to version 1.2.4"
}
]
} }