diff --git a/2010/2xxx/CVE-2010-2496.json b/2010/2xxx/CVE-2010-2496.json index 25eb570bb8c..645c79e70aa 100644 --- a/2010/2xxx/CVE-2010-2496.json +++ b/2010/2xxx/CVE-2010-2496.json @@ -1,17 +1,61 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2010-2496", - "STATE": "RESERVED" - }, - "data_format": "MITRE", "data_type": "CVE", + "data_format": "MITRE", "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2010-2496", + "ASSIGNER": "secalert@redhat.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496" + } + ] + }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer." } ] } diff --git a/2020/8xxx/CVE-2020-8291.json b/2020/8xxx/CVE-2020-8291.json index 1da8d823ef3..177f9c40a83 100644 --- a/2020/8xxx/CVE-2020-8291.json +++ b/2020/8xxx/CVE-2020-8291.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-8291", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "support@hackerone.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Rocket.Chat server", + "version": { + "version_data": [ + { + "version_value": "Fixed versions: 3.10, 3.9.4, 3.8.5" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS) - Stored (CWE-79)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/RocketChat/Rocket.Chat/pull/19854", + "url": "https://github.com/RocketChat/Rocket.Chat/pull/19854" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks." } ] } diff --git a/2020/8xxx/CVE-2020-8908.json b/2020/8xxx/CVE-2020-8908.json index 6dfdec084d7..1e1268a80bc 100644 --- a/2020/8xxx/CVE-2020-8908.json +++ b/2020/8xxx/CVE-2020-8908.json @@ -196,6 +196,61 @@ "refsource": "MLIST", "name": "[hadoop-yarn-issues] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", "url": "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hadoop-yarn-dev] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hive-dev] 20211018 [jira] [Created] (HIVE-25617) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hive-issues] 20211018 [jira] [Updated] (HIVE-25617) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hive-issues] 20211018 [jira] [Work logged] (HIVE-25617) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hadoop-yarn-issues] 20211018 [jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hadoop-yarn-issues] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hive-gitbox] 20211018 [GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hadoop-yarn-issues] 20211018 [jira] [Commented] (YARN-10980) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[geode-issues] 20211018 [jira] [Created] (GEODE-9744) fix CVE-2020-8908", + "url": "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E" } ] }, diff --git a/2021/21xxx/CVE-2021-21796.json b/2021/21xxx/CVE-2021-21796.json index 15aed10a0ce..4ceb9ab3ce8 100644 --- a/2021/21xxx/CVE-2021-21796.json +++ b/2021/21xxx/CVE-2021-21796.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21796", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "talos-cna@cisco.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Nitro Pro", + "version": { + "version_data": [ + { + "version_value": "Nitro Pro 13.31.0.605,Nitro Pro 13.33.2.645" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "use-after-free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1265", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1265" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability." } ] } diff --git a/2021/21xxx/CVE-2021-21797.json b/2021/21xxx/CVE-2021-21797.json index 042af0410be..0b2969b0229 100644 --- a/2021/21xxx/CVE-2021-21797.json +++ b/2021/21xxx/CVE-2021-21797.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21797", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "talos-cna@cisco.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Nitro Pro", + "version": { + "version_data": [ + { + "version_value": "Nitro Pro 13.31.0.605 ,Nitro Pro 13.33.2.645" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "double-free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1266", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1266" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability." } ] } diff --git a/2021/22xxx/CVE-2021-22942.json b/2021/22xxx/CVE-2021-22942.json index 6c1dd720a90..7b6b7739350 100644 --- a/2021/22xxx/CVE-2021-22942.json +++ b/2021/22xxx/CVE-2021-22942.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22942", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "support@hackerone.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "https://github.com/rails/rails", + "version": { + "version_data": [ + { + "version_value": "6.1.4.1, 6.0.4.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Open Redirect (CWE-601)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/", + "url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website." } ] } diff --git a/2021/22xxx/CVE-2021-22961.json b/2021/22xxx/CVE-2021-22961.json index b1270e81303..9f1214157ce 100644 --- a/2021/22xxx/CVE-2021-22961.json +++ b/2021/22xxx/CVE-2021-22961.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22961", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "support@hackerone.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "GlassWire ", + "version": { + "version_data": [ + { + "version_value": "Fixed version 2.3.335" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Code Injection (CWE-94)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://hackerone.com/reports/1193641", + "url": "https://hackerone.com/reports/1193641" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution." } ] } diff --git a/2021/33xxx/CVE-2021-33023.json b/2021/33xxx/CVE-2021-33023.json index b41df206097..f9727e681ae 100644 --- a/2021/33xxx/CVE-2021-33023.json +++ b/2021/33xxx/CVE-2021-33023.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-12T19:15:00.000Z", "ID": "CVE-2021-33023", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Advantech WebAccess" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WebAccess", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "9.02" + } + ] + } + } + ] + }, + "vendor_name": "Advantech" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Natnael Samson, @NattiSamson, working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "HEAP-BASED BUFFER OVERFLOW CWE-122" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "In order to address the heap-based buffer overflow vulnerability, Advantech recommends users directly add the remote access code to avoid being attacked by unknown requests. This is the remote access code established during installation of the Advantech WebAccess SCADA software (SCADA node, project node, or OPC Service) on the OPC Server computer. The access code you enter here must match the remote access code established during installation on the OPC Server. This prevents unauthorized users from accessing the OPC Server data using the Advantech WebAccess SCADA OPC Service.\n\nIf you have forgotten the remote access code using during software installation on the OPC Server node, you have two options:\n\nRe-install the Advantech WebAccess SCADA software on the OPC Server node to change it and edit it to match in your database.\nEdit the BWSERVER.INI file on the OPC Server node and edit it to match in your database using UPDATE." + } + ], + "source": { + "advisory": "ICSA-21-285-02", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38389.json b/2021/38xxx/CVE-2021-38389.json index 2a8407f4de2..70b38423b32 100644 --- a/2021/38xxx/CVE-2021-38389.json +++ b/2021/38xxx/CVE-2021-38389.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-12T19:15:00.000Z", "ID": "CVE-2021-38389", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Advantech WebAccess" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WebAccess", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "9.02" + } + ] + } + } + ] + }, + "vendor_name": "Advantech" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Natnael Samson, @NattiSamson, working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "STACK-BASED BUFFER OVERFLOW CWE-121" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Advantech has released Version 9.1.1 to address the stack-based buffer overflow vulnerability." + } + ], + "source": { + "advisory": "ICSA-21-285-02", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38426.json b/2021/38xxx/CVE-2021-38426.json index 6a78ebe4fd7..fef5dc0a306 100644 --- a/2021/38xxx/CVE-2021-38426.json +++ b/2021/38xxx/CVE-2021-38426.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38426", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "OUT-OF-BOUNDS WRITE CWE-787" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38430.json b/2021/38xxx/CVE-2021-38430.json index a01d2fb5721..891759fa5db 100644 --- a/2021/38xxx/CVE-2021-38430.json +++ b/2021/38xxx/CVE-2021-38430.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38430", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior proper validation of user-supplied data when parsing project files, which could result in a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "STACK-BASED BUFFER OVERFLOW CWE-121" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38434.json b/2021/38xxx/CVE-2021-38434.json index 180261bd88f..8a366c55dde 100644 --- a/2021/38xxx/CVE-2021-38434.json +++ b/2021/38xxx/CVE-2021-38434.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38434", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. An attacker could leverage this vulnerability to execute arbitrary code." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "UNEXPECTED SIGN EXTENSION CWE-194" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38436.json b/2021/38xxx/CVE-2021-38436.json index e17895297b1..31cef969933 100644 --- a/2021/38xxx/CVE-2021-38436.json +++ b/2021/38xxx/CVE-2021-38436.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38436", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a memory-corruption condition. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38438.json b/2021/38xxx/CVE-2021-38438.json index bca9b2bf786..209932acdf3 100644 --- a/2021/38xxx/CVE-2021-38438.json +++ b/2021/38xxx/CVE-2021-38438.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38438", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "USE AFTER FREE CWE-416" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38440.json b/2021/38xxx/CVE-2021-38440.json index 4f82cb22e80..d0ede2beb12 100644 --- a/2021/38xxx/CVE-2021-38440.json +++ b/2021/38xxx/CVE-2021-38440.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38440", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to read unauthorized information." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.3, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "OUT-OF-BOUNDS READ CWE-125" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file diff --git a/2021/38xxx/CVE-2021-38442.json b/2021/38xxx/CVE-2021-38442.json index 5ded5cf7c73..26cbab0e0be 100644 --- a/2021/38xxx/CVE-2021-38442.json +++ b/2021/38xxx/CVE-2021-38442.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2021-10-07T18:22:00.000Z", "ID": "CVE-2021-38442", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "FATEK Automation WinProladder" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WinProladder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "All", + "version_value": "3.30" + } + ] + } + } + ] + }, + "vendor_name": "FATEK Automation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "xina1i and Natnael Samson (@NattiSamson), working with Trend Micro\u2019s Zero Day Initiative, reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in a heap-corruption condition. An attacker could leverage this vulnerability to execute code in the context of the current process." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06", + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06" + } + ] + }, + "source": { + "advisory": "ICSA-21-280-06", + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "eng", + "value": "FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact FATEK customer support for additional information." + } + ] } \ No newline at end of file